Mondex case study including libraries for data refinement

The original case study can be found on the web:

Susan Stepney, David Cooper and Jim Woodcock An Electronic Purse: Specification, Refinement, and Proof.
David Cooper, Susan Stepney, Jim Woodcock Derivation of Z Refinement Proof Rules: forwards and backwards rules incorporating input/output refinement

The technical report describing the KIV case study in more detail can be found here . This work was also published at Formal Methods 2006, the bib entry is:

@InProceedings{kiv-mondex-fm2006,
author = {Gerhard Schellhorn and Holger Grandy and Dominik Haneberg and Wolfgang Reif},
title = {{The Mondex Challenge: Machine Checked Proofs for an Electronic Purse}},
booktitle = {Formal Methods 2006, Proceedings},
year = 2006,
publisher = {Springer},
pages = {16--31},
series = {LNCS},
volume = {4085},
editor = {J. Misra and T. Nipkow and E. Sekerinski },
note = {}
}

The case study is organized in three projects, Mondex (containing the case study itself), Z-Refinement (containing the theory of refinement in Z) and DataRef (containing the theory of Data Refinement of Hoare and He as well the theory of refinement of the contract approach).

Mondex

The main specifications are:

simple-AASM (abstract level ASM as described in paper)
simple-BASM (concrete level ASM as described in paper)
The invariant for BASM can be found in specification BINV
earlier version of BASM with wrong invariant (between level). The failed proof attempt can be viewed in the theorem summary of specification BINV-orig
ASM refinement proofs are done in specification Mondex-ASM-refine . Proofs are directly linked here
definition of abstract operations like in Z : Mondex-AOP using auxilliary abstract ASM AASM
definition of concrete operations like in Z : Mondex-COP using auxilliary concete ASM CASM
Datarefinement proofs are done in specification Mondex-refine . Proofs are directly linked here
Proofs for Mondex security properties can be viewed in specification Mondex-SecProp .

Z-Refinement:

Definition of abstract datatype with Input / Output can be found in IO-DT-basic (renamed to IO-ADT and IO-CDT )
Definition of proof obligations for the contract approach with IO and invariants: IOconbackward-INV
Proof that this implies refinement of the contract approach by instantiating conbackwardINV-is-conrefine from Project DataRef can be found in specification IOconbackwardINV-is-IOconrefine

Data Refinement

Data Refinement according to Hoare / He:

DT is the specification of an abstract datatype (renamed to ADT and CDT )
Specification of refinement correctness is refine
Specification of forward simulation: forward
Specification of backward simulation: backward
Proof that forward simulation implies refinement: forward-is-refine
Proof that backward simulation mirrors forward simulation: mirror-backward
Proof that backward simulation implies refinement: backward-is-refine

Data Refinement using the contract approach and invariants:

proof obligations for backward simulation: conbackward-INV
definition of refinement for the contract approach: conrefine
instantiation of backward simulation of Hoare / He with definition of contract embedding: conbackwardINV-is-backward

[Impressum] [E-Mail]