wolff.bib

@preamble{{\def{\ac}[1]{\textsc{#1}} } # {\def{\acs}[1]{\textsc{#1}} } # {\def{\acf}[1]{\textsc{#1}} } # {\def{\TAP}{T\kern-.1em\lower-.5ex\hbox{A}\kern-.1em P} } # {\def{\leanTAP}{\mbox{\sf lean\it\TAP}} } # {\def{\holz}{\textsc{hol-z}} } # {\def{\holocl}{\textsc{hol-ocl}} } # {\def{\holboogie}{\textsc{hol}-Boogie} } # {\def{\isbn}{\textsc{isbn}} } # {\def{\doi}[1]{\href{http://dx.doi.org/#1}{doi: {\urlstyle{rm}\nolinkurl{#1}}}}} # {\def{\unixcmd}[1]{\textsc{#1}} } # {\def{\UML}{\textsc{uml}} } # {\def{\OCL}{\textsc{ocl}} } # {\def{\HOL}{\textsc{hol}} } # {\def{\IMPOO}{\textsc{imp++}} } # {\def{\posix}{\textsc{posix}} } # {\def{\testgen}{\textsc{HOL-TestGen}} } # {\def{\testgenFW}{\textsc{TestGenFW}} } # {\def{\item}{} }}
@article{DBLP:journals/afp/BruckerMW24,
  author = {Achim D. Brucker and
                  Nicolas M{\'{e}}ric and
                  Burkhart Wolff},
  title = {Isabelle/DOF},
  journal = {Arch. Formal Proofs},
  volume = {2024},
  year = {2024},
  url = {https://www.isa-afp.org/entries/Isabelle\_DOF.html},
  timestamp = {Mon, 27 May 2024 11:08:41 +0200},
  biburl = {https://dblp.org/rec/journals/afp/BruckerMW24.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{DBLP:conf/zum/BallenghienW24,
  author = {Beno{\^{\i}}t Ballenghien and
                  Burkhart Wolff},
  editor = {Silvia Bonfanti and
                  Angelo Gargantini and
                  Michael Leuschel and
                  Elvinia Riccobene and
                  Patrizia Scandurra},
  title = {Event-B as {DSL} in Isabelle and {HOL} Experiences from a Prototype},
  booktitle = {Rigorous State-Based Methods - 10th International Conference, {ABZ}
                  2024, Bergamo, Italy, June 25-28, 2024, Proceedings},
  series = {Lecture Notes in Computer Science},
  volume = {14759},
  pages = {241--247},
  publisher = {Springer},
  year = {2024},
  url = {https://doi.org/10.1007/978-3-031-63790-2\_18},
  doi = {10.1007/978-3-031-63790-2\_18},
  timestamp = {Fri, 19 Jul 2024 23:15:46 +0200},
  biburl = {https://dblp.org/rec/conf/zum/BallenghienW24.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2024-ABZ-HOL-B.pdf}
}
@inproceedings{Brucker_2024_IsaWS,
  author = {Brucker, Achim D. and Meric, Nicolas and Wolff, Burkhart},
  title = {Isabelle/DOF --  Extended Abstract and Tool Demonstration},
  booktitle = {Proceedings of the ISABELLE WORKSHOP 2024 as part of ITP 2024, TBlissi, Georgia},
  series = {SKETIS '24},
  year = {2024},
  location = {TBlissi, Georgia},
  pages = {19--24},
  pdf = {http://www.lri.fr/~wolff/papers/workshop/Brucker_2024_IsaWS.pdf},
  classification = {workshop}
}
@article{HOL-CSP_OpSem-AFP,
  author = {Beno{\^{\i}}t Ballenghien and Burkhart Wolff},
  title = {Operational Semantics formally proven in HOL-CSP},
  journal = {Archive of Formal Proofs},
  month = {December},
  year = {2023},
  note = {\url{https://isa-afp.org/entries/HOL-CSP_OpSem.html},
             Formal proof development},
  issn = {2150-914x}
}
@article{HOL-CSP-AFP,
  author = {Safouan Taha and Lina Ye and Burkhart Wolff},
  title = {HOL-CSP Version 2.0},
  journal = {Archive of Formal Proofs},
  month = {April},
  year = {2019},
  note = {\url{https://isa-afp.org/entries/HOL-CSP.html},
             Formal proof development},
  issn = {2150-914x}
}
@article{HOL-CSPM-AFP,
  author = {Beno{\^{\i}}t Ballenghien and Safouan Taha and Burkhart Wolff},
  title = {HOL-CSPM - Architectural operators for HOL-CSP},
  journal = {Archive of Formal Proofs},
  month = {December},
  year = {2023},
  note = {\url{https://isa-afp.org/entries/HOL-CSPM.html},
             Formal proof development},
  issn = {2150-914x}
}
@techreport{wolff:hal-03429597,
  title = {{Modelling and Proving Safety in Autonomous Cars Scenarios in HOL-CSP}},
  author = {Crisafulli, Paolo and Taha, Safouan and Wolff, Burkhart},
  url = {hal-03627500},
  type = {Research Report},
  institution = {{University Paris-Saclay ; IRT SystemX, Palaiseau}},
  year = {2021},
  month = oct,
  pdf = {https://www.lri.fr/~wolff/papers/other/MPSAC-HOL-CSP.pdf},
  hal_id = {hal-03627500},
  hal_version = {v3}
}
@article{RAS-CTW-CPSinCSP,
  title = {Modeling and analysing {C}yber \– {P}hysical Systems in {HOL-CSP}},
  journal = {Robotics and Autonomous Systems},
  volume = {170},
  pages = {104549},
  year = {2023},
  issn = {0921-8890},
  doi = {https://doi.org/10.1016/j.robot.2023.104549},
  url = {https://www.sciencedirect.com/science/article/pii/S0921889023001884},
  author = {Paolo Crisafulli and Safouan Taha and Burkhart Wolff},
  pdf = {https://www.lri.fr/~wolff/papers/journals/2023-RAS-CPS-HOL_CSP.pdf},
  keywords = {Cyber–Physical Systems, Autonomous cars, Safety-critical systems, Process-algebra, Concurrency, Proof-based verification},
  abstract = {Modelling and Analysing Cyber-Physical Systems (CPS) is a challenge for Formal Methods and therefore a 
            field of active research. It is characteristic of CPSs that models comprise aspects of Newtonian Physics 
            appearing in system environments, the difficulties of their discretization, the problems of communication 
            and interaction between actors in this environment as well as calculations respecting time-bounds. We present 
            a novel framework to address these problems developed with industrial partners involved in the Autonomous 
            Car domain. Based on HOL-CSP, we model time, physical evolution, "scenes” (global states) and "scenarios" 
            (traces) as well as the interaction of "actors" (vehicles, pedestrians, traffic lights) inside this framework. 
            In particular, discrete samplings are modelled by infinite internal choices. For several instances of the 
            modelling framework, we give formal proofs of a particular safety property for Autonomous Cars: if each car 
            follows the same driving strategy defined by the so-called Responsibility-Sensitive Safety (RSS), no collision 
            will occur. The proofs give rise to a number of variants of RSS and optimizations as well as a test-case 
            partitioning of abstract test cases and a test-strategy for integration tests.}
}
@inproceedings{bsmw2023,
  author = {Achim D. Brucker and
                  Idir A{\"{\i}}t{-}Sadoune and
                  Nicolas M{\'{e}}ric and
                  Burkhart Wolff},
  editor = {Uwe Gl{\"{a}}sser and
                  Jos{\'{e}} Creissac Campos and
                  Dominique M{\'{e}}ry and
                  Philippe A. Palanque},
  title = {Using Deep Ontologies in Formal Software Engineering},
  booktitle = {Rigorous State-Based Methods - 9th International Conference, {ABZ}
                  2023, Nancy, France, May 30 - June 2, 2023, Proceedings},
  series = {Lecture Notes in Computer Science},
  volume = {14010},
  pages = {15--32},
  publisher = {Springer},
  year = {2023},
  url = {https://doi.org/10.1007/978-3-031-33163-3\_2},
  doi = {10.1007/978-3-031-33163-3\_2},
  timestamp = {Fri, 02 Jun 2023 21:23:53 +0200},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2023-ABZ-ontologies.pdf}
}
@proceedings{FosterWolffICECCS2023,
  editor = {Yamine Ait-Ameur and Ferhat Khendek},
  title = {Automated Reasoning for Physical Quantities, Units, and Measurements in Isabelle/HOL},
  booktitle = {27th International Conference on Engineering of Complex Computer Systems,
                  {ICECCS} 2023, Toulouse, France, June 14-16, 2023},
  publisher = {{IEEE}},
  year = {2023},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2023FosterWolffICECCS.pdf},
  url = {https://arxiv.org/pdf/2302.07629.pdf}
}
@article{DBLP:journals/afp/FosterW20,
  author = {Simon Foster and
               Burkhart Wolff},
  title = {A Sound Type System for Physical Quantities, Units, and Measurements},
  journal = {Arch. Formal Proofs},
  volume = {2020},
  year = {2020},
  url = {https://www.isa-afp.org/entries/Physical\_Quantities.html},
  timestamp = {Thu, 10 Dec 2020 12:37:34 +0100},
  biburl = {https://dblp.org/rec/journals/afp/FosterW20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{DBLP:journals/afp/TahaWY20,
  author = {Safouan Taha and
               Burkhart Wolff and
               Lina Ye},
  title = {The {HOL-CSP} Refinement Toolkit},
  journal = {Arch. Formal Proofs},
  volume = {2020},
  year = {2020},
  url = {https://www.isa-afp.org/entries/CSP\_RefTK.html},
  timestamp = {Wed, 17 Feb 2021 16:35:22 +0100},
  biburl = {https://dblp.org/rec/journals/afp/TahaWY20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{DBLP:journals/jot/BruckerTW20,
  author = {Achim D. Brucker and
               Fr{\'{e}}d{\'{e}}ric Tuong and
               Burkhart Wolff},
  title = {Model Transformation as Conservative Theory-Transformation},
  journal = {J. Object Technol.},
  volume = {19},
  number = {3},
  pages = {3:1--16},
  year = {2020},
  url = {https://doi.org/10.5381/jot.2020.19.3.a3},
  doi = {10.5381/jot.2020.19.3.a3},
  timestamp = {Tue, 03 Nov 2020 08:17:34 +0100},
  biburl = {https://dblp.org/rec/journals/jot/BruckerTW20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{DBLP:journals/simeuro/VanBW20,
  author = {Hai Nguyen Van and
               Fr{\'{e}}d{\'{e}}ric Boulanger and
               Burkhart Wolff},
  title = {Timed Discrete-Event Simulation of Aviation Scenarios},
  journal = {Simul. Notes Eur.},
  volume = {30},
  number = {2},
  pages = {51--60},
  year = {2020},
  url = {https://doi.org/10.11128/sne.30.tn.10512},
  doi = {10.11128/sne.30.tn.10512},
  timestamp = {Thu, 16 Jul 2020 17:14:17 +0200},
  biburl = {https://dblp.org/rec/journals/simeuro/VanBW20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{DBLP:conf/ifm/TahaWY20,
  author = {Safouan Taha and
               Burkhart Wolff and
               Lina Ye},
  editor = {Brijesh Dongol and
               Elena Troubitsyna},
  title = {Philosophers May Dine - Definitively!},
  booktitle = {Integrated Formal Methods - 16th International Conference, {IFM} 2020,
               Lugano, Switzerland, November 16-20, 2020, Proceedings},
  series = {Lecture Notes in Computer Science},
  volume = {12546},
  pages = {419--439},
  publisher = {Springer},
  year = {2020},
  url = {https://doi.org/10.1007/978-3-030-63461-2\_23},
  doi = {10.1007/978-3-030-63461-2\_23},
  timestamp = {Tue, 17 Nov 2020 15:23:51 +0100},
  biburl = {https://dblp.org/rec/conf/ifm/TahaWY20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}
@incollection{brucker.ea:ontologies-certification:2019,
  abstract = { A common problem in the certification of highly safety or security critical systems is the
		  consistency of the certification documentation in general and, in particular, the linking between
		  semi-formal and formal content of the certification documentation.
		  
		  We address this problem by using an existing framework, Isabelle/DOF, that allows writing
		  certification documents with consistency guarantees, in both, the semi-formal and formal parts.
		  Isabelle/DOF supports the \emph{modeling} of document ontologies using a strongly typed ontology
		  definition language. An ontology is then \emph{enforced} inside documents including formal parts,
		  e.g., system models, verification proofs, code, tests and validations of corner-cases. The entire set
		  of documents is checked within Isabelle/HOL, which includes the definition of ontologies and the
		  editing of integrated documents based on them. This process is supported by an IDE that provides
		  continuous checking of the document consistency.
		  
		  In this paper, we present how a specific software-engineering certification standard, namely CENELEC
		  50128, can be modeled inside Isabelle/DOF. Based on an ontology covering a substantial part of this
		  standard, we present how Isabelle/DOF can be applied to a certification case-study in the railway
		  domain.},
  keywords = {Certification of Safety-Critical Systems, CENELEC 50128, Formal Document Development, Isabelle/DOF,
		  Isabelle/HOL},
  location = {Bergen},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Integrated Formal Methods (iFM)},
  language = {USenglish},
  url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-ontologies-certification-2019},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {11918},
  isbn = {3-540-25109-X},
  doi = {10.1007/978-3-030-34968-4_4},
  editor = {Wolfgang Ahrendt and Silvia Lizeth Tapia Tarifa},
  pdf = {https://www.brucker.ch/bibliography/download/2019/brucker.ea-ontologies-certification-2019.pdf},
  title = {{U}sing {O}ntologies in {F}ormal {D}evelopments {T}argeting {C}ertification},
  classification = {conference},
  areas = {formal methods, software},
  categories = {isadof},
  year = {2019},
  public = {yes}
}
@incollection{HOL-CSP-iFM2020,
  keywords = {Process-Algebra, Concurrency, Computational Models, Parametric System Verification},
  author = {Safouan Taha and Lina Ye and Burkhart Wolff},
  booktitle = {Integrated Formal Methods (iFM)},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {12546},
  doi = {10.1007/978-3-030-63461-2_23},
  editor = {Carlo A. Furia},
  title = {{P}hilosophers may {D}ine - {D}efinitively!},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2020-iFM_CSP.pdf},
  classification = {conference},
  areas = {formal methods, software},
  year = {2020},
  public = {yes}
}
@incollection{Tuong-IsabelleC:2019,
  abstract = {We present a framework for C code in C11 syntax deeply 
    integrated into the Isabelle/PIDE devel- opment environment. Our framework 
    provides an abstract interface for verification back-ends to be plugged-in 
    independently. Thus, various techniques such as deductive program 
    verification or white- box testing can be applied to the same source, 
    which is part of an integrated PIDE document model. Semantic back-ends 
    are free to choose the supported C fragment and its semantics. In 
    particular, they can differ on the chosen memory model or the specification 
    mechanism for framing conditions.

    Our framework supports semantic annotations of C sources in the form of 
    comments. Annota- tions serve to locally control back-end settings, and can 
    express the term focus to which an annotation refers. Both the logical and 
    the syntactic context are available when semantic annotations are evaluated. 
    As a consequence, a formula in an annotation can refer both to HOL or C 
    variables.
    
    Our approach demonstrates the degree of maturity and expressive power the 
    Isabelle/PIDE sub-system has achieved in recent years. Our integration 
    technique employs Lex and Yacc style grammars to ensure efficient 
    deterministic parsing. We present two case studies for the integration of 
    (known) semantic back-ends in order to validate the design decisions for 
    our back-end interface.
},
  address = {Heidelberg},
  author = {Fr\'ederic Tuong and Burkhart Wolff},
  booktitle = {International Workshop on Formal Integrated Development Environments (F-IDE)},
  doi = {10.4204/EPTCS.310.3},
  keywords = {Isabelle, HOL, C11, Program Verification, Program Testing},
  language = {USenglish},
  location = {Porto, Protogal},
  number = {314},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2019-fide-isabelle_c.pdf},
  publisher = {Open Publishing Association},
  series = {Electronic Proceedings in Theoretical Computer Science (EPTCS)},
  title = {{D}eeply {I}ntegrating {C11} {C}ode {S}upport into {I}sabelle/{PIDE}},
  year = {2019}
}
@misc{brucker_achim_d_2019_3370483,
  author = {Brucker, Achim D. and
                  Wolff, Burkhart},
  title = {{I}sabelle/{DOF}},
  month = aug,
  year = 2019,
  doi = {10.5281/zenodo.3370483},
  url = {https://doi.org/10.5281/zenodo.3370483}
}
@incollection{brucker.wolff:isadof-design-impl:2019,
  abstract = {DOF is a novel framework for \emph{defining} ontologies and
  \emph{enforcing} them during document development and document
  evolution. A major goal of DOF is the integrated development of
  formal certification documents (\eg, for Common Criteria or CENELEC
  50128) that require consistency across both formal and informal
  arguments.

  To support a consistent development of formal and informal parts of
  a document, we provide Isabelle/DOF, an implementation of DOF on top of
  Isabelle/HOL.  \isadof is integrated into Isabelle's IDE, which
  allows for smooth ontology development as well as immediate
  ontological feedback during the editing of a document.

  In this paper, we give an in-depth presentation of the design
  concepts of DOF's Ontology Definition Language (ODL) and key
  aspects of the technology of its implementation.  \isadof is the
  first ontology language supporting machine-checked
  links between the formal and informal parts in an LCF-style
  interactive theorem proving environment.

  Sufficiently annotated, large documents can easily be developed
  collaboratively, while \emph{ensuring their consistency}, and the
  impact of changes (in the formal and the semi-formal content) is
  tracked automatically.},
  address = {Heidelberg},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {International Conference on Software Engineering and Formal Methods (SEFM)},
  doi = {10.1007/978-3-319-96812-4_3},
  keywords = {Isabelle, HOL, Ontologies, Certification},
  language = {USenglish},
  location = {Oslo, Norway},
  number = {11724},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2019-sefm-isa_dof-framework.pdf},
  publisher = {Springer-Verlag},
  series = {Lecture Notes in Computer Science},
  title = {{I}sabelle/{DOF}: {D}esign and {I}mplementation},
  year = {2019}
}
@incollection{brucker.ea:isabelle-ontologies:2018,
  abstract = {While Isabelle is mostly known as part of Isabelle/HOL (an interactive theorem prover), it actually provides a framework for developing a wide spectrum of applications. A particular strength of the Isabelle framework is the combination of text editing, formal verification, and code generation.\\\\Up to now, Isabelle's document preparation system lacks a mechanism for ensuring the structure of different document types (as, e.g., required in certification processes) in general and, in particular, mechanism for linking informal and formal parts of a document.\\\\In this paper, we present Isabelle/DOF, a novel Document Ontology Framework on top of Isabelle. Isabelle/DOF allows for conventional typesetting \emph{as well} as formal development. We show how to model document ontologies inside Isabelle/DOF, how to use the resulting meta-information for enforcing a certain document structure, and discuss ontology-specific IDE support.},
  address = {Heidelberg},
  author = {Achim D. Brucker and Idir Ait-Sadoune and Paolo Crisafulli and Burkhart Wolff},
  booktitle = {Conference on Intelligent Computer Mathematics (CICM)},
  doi = {10.1007/978-3-319-96812-4_3},
  keywords = {Isabelle/Isar, HOL, Ontologies},
  language = {USenglish},
  location = {Hagenberg, Austria},
  number = {11006},
  pdf = {https://www.brucker.ch/bibliography/download/2018/brucker.ea-isabelle-ontologies-2018.pdf},
  publisher = {Springer-Verlag},
  series = {Lecture Notes in Computer Science},
  title = {Using The Isabelle Ontology Framework: Linking the Formal with the Informal},
  url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-isabelle-ontologies-2018},
  year = {2018}
}
@inproceedings{bockenek:hal-02069705,
  title = {{U}sing {I}sabelle/{UTP} for the {V}erification of {Si}orting {A}lgorithms: {A} {C}ase {S}tudy},
  booktitle = {{I}sabelle {W}orkshop {part of {FLOC}'18}},
  author = {Bockenek, Joshua A and Lammich, Peter and Nemouchi, Yakoub and Wolff, Burkhart},
  url = {https://hal.archives-ouvertes.fr/hal-02069705},
  note = {Isabelle Workshop 2018, Colocated with Interactive Theorem Proving. As part of FLOC 2018, Oxford, GB.},
  year = {2018},
  month = jul,
  pdf = {https://www.lri.fr/~wolff/papers/conf/Isabelle_2018_paper_6.pdf},
  hal_id = {hal-02069705},
  hal_version = {v1}
}
@inproceedings{BCPW2018,
  title = {Making Agile Development Processes fit for V-style Certification
          Procedures},
  author = {Bezzecchi, S. and Crisafulli, P. and Pichot, C. and Wolff, B.},
  booktitle = {{ERTS'18}},
  abstract = {We present a process for the development of safety and security 
       critical  components in transportation systems targeting a high-level 
       certification  (CENELEC 50126/50128, DO 178, CC ISO/IEC 15408).
       
       The process adheres to the objectives of an ``agile development'' in 
       terms of evolutionary flexibility and continuous improvement. Yet, it 
       enforces the overall coherence of the development artifacts (ranging from 
       proofs over tests to code) by a particular environment (CVCE).
       
       In particular, the validation process is built around a formal development
       based on the interactive theorem proving system Isabelle/HOL, by linking the
       business logic of the application to the operating system model, down to
       code and concrete hardware models thanks to a series of refinement proofs.
       
       We apply both the process and its support in CVCE to a case-study that 
       comprises a model of  an odometric service in a railway-system with its 
       corresponding implementation integrated in seL4 (a secure kernel  for 
       which a comprehensive Isabelle development exists). Novel techniques 
       implemented in Isabelle enforce the coherence of semi-formal 
       and formal definitions within to specific certification processes
       in order to improve their cost-effectiveness.  
      },
  pdf = {https://www.lri.fr/~wolff/papers/conf/2018erts-agile-fm.pdf},
  year = {2018},
  series = {ERTS Conference Proceedings},
  location = {Toulouse}
}
@inproceedings{AissatVW2016,
  title = {Infeasible Paths Elimination by Symbolic Execution Techniques: 
              Proof of Correctness and Preservation of Paths},
  author = {Aissat, R. and Voisin, F. and Wolff, B.},
  booktitle = {{ITP'16}},
  abstract = {TRACER is a tool for verifying safety properties of sequential C 
              programs. TRACER attempts at building a finite symbolic execution 
              graph which over-approximates the set of all concrete reachable 
              states and the set of feasible paths.
              
              We present an abstract framework for TRACER and similar CEGAR-like 
              systems. The framework provides 1) a graph-transformation based 
              method for reducing the feasible paths in control-flow graphs, 2) 
              a model for symbolic execution, subsumption, predicate abstraction 
              and invariant generation. 
              
              In this framework we formally prove two key properties: correct 
              construction of the symbolic states and preservation of feasible 
              paths. The framework focuses on core operations, leaving to 
              concrete prototypes to “fit in” heuristics for combining them.},
  year = {2016},
  series = {Lecture Notes in Computer Science},
  volume = {9762},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2016-itp-InfPathsNSE.pdf},
  location = {Vienna}
}
@inproceedings{DBLP:conf/tap/BruckerW16,
  author = {Achim D. Brucker and
               Burkhart Wolff},
  title = {Monadic Sequence Testing and Explicit Test-Refinements},
  booktitle = {Tests and Proofs - 10th International Conference, {TAP} 2016, Held
               as Part of {STAF} 2016, Vienna, Austria, July 5-7, 2016, Proceedings},
  volume = {LNCS 7942},
  series = {Lecture Notes in Computer Science},
  pages = {17--36},
  year = {2016},
  abstract = {Abstract We present an abstract framework for sequence testing 
               that is implemented in Isabelle/HOL-TestGen. Our framework is 
               based on the theory of state-exception monads, explicitly modelled 
               in HOL, and can cope with typed input and output, interleaving 
               executions including abort, and synchronisation.
               
               The framework is particularly geared towards symbolic execution 
               and has proven effective in several large case-studies involving 
               system models based on large (or infinite) state.
               
               On this basis, we rephrase the concept of test-refinements for 
               inclusion, deadlock and IOCO-like tests, together with a formal 
               theory of its rela- tion to traditional, IO-automata based notions.},
  url = {http://dx.doi.org/10.1007/978-3-319-41135-4_2},
  pdf = {https://www.brucker.ch/bibliography/download/2016/brucker.ea-monadic-sequence-testing-2016.pdf},
  doi = {10.1007/978-3-319-41135-4_2}
}
@inproceedings{DBLP:conf/models/BruckerCDGHHTWW16,
  author = {Achim D. Brucker and
               Jordi Cabot and
               Gwendal Daniel and
               Martin Gogolla and
               Adolfo S{\'{a}}nchez{-}Barbudo Herrera and
               Frank Hilken and
               Fr{\'{e}}d{\'{e}}ric Tuong and
               Edward D. Willink and
               Burkhart Wolff},
  title = {Recent Developments in {OCL} and Textual Modelling},
  booktitle = {Proceedings of the 16th International Workshop on {OCL} and Textual
               Modelling co-located with 19th International Conference on Model Driven
               Engineering Languages and Systems {(MODELS} 2016), Saint-Malo, France,
               October 2, 2016.},
  pages = {157--165},
  year = {2016},
  url = {http://ceur-ws.org/Vol-1756/paper12.pdf},
  timestamp = {Sun, 11 Dec 2016 13:10:16 +0100},
  biburl = {http://dblp.org/rec/bib/conf/models/BruckerCDGHHTWW16},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@article{DBLP:journals/afp/AissatVW16,
  author = {Romain A{\"{\i}}ssat and
               Fr{\'{e}}d{\'{e}}ric Voisin and
               Burkhart Wolff},
  title = {Infeasible Paths Elimination by Symbolic Execution Techniques: Proof
               of Correctness and Preservation of Paths},
  journal = {Archive of Formal Proofs},
  volume = {2016},
  year = {2016},
  url = {https://www.isa-afp.org/entries/InfPathElimination.shtml},
  timestamp = {Thu, 17 Aug 2017 16:21:55 +0200},
  biburl = {http://dblp.org/rec/bib/journals/afp/AissatVW16},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@techreport{AGVW2016,
  author = {Aissat, R. and Gaudel, M.-C. and Voisin, F. and Wolff, B.},
  title = {Pruning Infeasible Paths via Graph Transformations and
               Symbolic Execution: a Method and a Tool},
  number = {1588},
  institution = {L.R.I., Univ. Paris-Sud},
  url = {https://www.lri.fr/srubrique.php?news=33},
  year = {2016}
}
@inproceedings{DBLP:conf/qrs/AissatGVW16,
  author = {Romain A{\"{\i}}ssat and
               Marie{-}Claude Gaudel and
               Fr{\'{e}}d{\'{e}}ric Voisin and
               Burkhart Wolff},
  title = {A Method for Pruning Infeasible Paths via Graph Transformations and
               Symbolic Execution},
  booktitle = {2016 {IEEE} International Conference on Software Quality, Reliability
               and Security, {QRS} 2016, Vienna, Austria, August 1-3, 2016},
  pages = {144--151},
  year = {2016},
  url = {https://doi.org/10.1109/QRS.2016.26},
  doi = {10.1109/QRS.2016.26},
  timestamp = {Thu, 17 Aug 2017 16:22:01 +0200},
  biburl = {http://dblp.org/rec/bib/conf/qrs/AissatGVW16},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@techreport{brucker.ea:hol-testgen:2016,
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Abderrahmane
		       Feliachi and Chantal Keller and Matthias P. Krieger and
		       Delphine Longuet and Yakoub Nemouchi and Fr{\'e}d{\'e}ric
		       Tuong and Burkhart Wolff },
  institution = {Laboratoire en Recherche en Informatique (LRI),
		         Universit\'e Paris-Sud 11, France},
  language = {USenglish},
  month = apr,
  title = {{HOL-TestGen} 1.8.0 User Guide},
  categories = {testing,holtestgen},
  classification = {unrefereed},
  areas = {formal methods, software},
  keywords = {symbolic test case generations, black box testing, theorem
		  proving, Isabelle/HOL},
  year = {2016},
  number = {1586},
  num_pages = {111},
  pdf = {https://www.brucker.ch/bibliography/download/2016/brucker.ea-hol-testgen-2016.pdf},
  public = {yes},
  url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2016}
}
@techreport{brucker.ea:formal-semantics-ocl-2.5:2015,
  author = {Achim D. Brucker and Fr{\'e}d{\'e}ric Tuong and Burkhart Wolff},
  institution = {LRI, Univ Paris Sud, CNRS, Centrale Sup\'elec,
		           Universit\'e Paris-Saclay, France},
  language = {USenglish},
  month = sep,
  title = {Featherweight {OCL}: {A} {P}roposal for a {M}achine-{C}hecked {F}ormal
		  {S}emantics for {OCL} 2.5},
  categories = {holocl},
  classification = {unrefereed},
  areas = {formal methods, software},
  year = {2015},
  number = {1582},
  num_pages = {196},
  public = {yes},
  abstract = {The Unified Modeling Language (UML) is one of the few
		  modeling languages that is widely used in industry. While
		  UML is mostly known as diagrammatic modeling language
		  (e.g., visualizing class models), it is complemented by a
		  textual language, called Object Constraint Language (OCL).
		  OCL is a textual annotation language, originally based on a
		  three-valued logic, that turns UML into a formal language.
		  Unfortunately the semantics of this specification language,
		  captured in the ``Annex A'' of the OCL standard, leads to
		  different interpretations of corner cases. Many of these
		  corner cases had been subject to formal analysis since more
		  than ten years.
		  
		  The situation complicated with the arrival of version 2.3
		  of the OCL standard. OCL was aligned with the latest
		  version of UML: this led to the extension of the
		  three-valued logic by a second exception element, called
		  null. While the first exception element invalid has a
		  strict semantics, null has a non strict interpretation. The
		  combination of these semantic features lead to remarkable
		  confusion for implementors of OCL compilers and
		  interpreters.
		  
		  In this paper, we provide a formalization of the core of
		  OCL in HOL. It provides denotational definitions, a logical
		  calculus and operational rules that allow for the execution
		  of OCL expressions by a mixture of term rewriting and code
		  compilation. Moreover, we describe a coding-scheme for UML
		  class models that were annotated by code-invariants and
		  code contracts. An implementation of this coding-scheme has
		  been undertaken: it consists of a kind of compiler that
		  takes a UML class model and translates it into a family of
		  definitions and derived theorems over them capturing the
		  properties of constructors and selectors, tests and casts
		  resulting from the class model. However, this compiler is
		  not included in this document.
		  
		  Our formalization reveals several inconsistencies and
		  contradictions in the current version of the OCL standard.
		  They reflect a challenge to define and implement OCL tools
		  in a uniform manner. Overall, this document is intended to
		  provide the basis for a machine-checked text ``Annex A'' of
		  the OCL standard targeting at tool implementors. },
  pdf = {https://www.lri.fr/~bibli/Rapports-internes/2015/RR1582.pdf},
  url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-formal-semantics-ocl-2.5-2015}
}
@article{tuong.ea:meta-model:2015,
  author = {Fr{\'e}d{\'e}ric Tuong and Burkhart Wolff},
  title = {A {M}eta-{M}odel for the {I}sabelle {API}},
  journal = {Archive of Formal Proofs},
  year = {2015},
  url = {https://www.brucker.ch/bibliography/abstract/tuong.ea-meta-model-2015},
  issn = {2150-914x},
  categories = {holocl},
  public = yes
}
@inbook{used-fm:2015,
  author = {Yakoub Nemouchi and Abderrahmane Feliachi and 
          Burkhart Wolff and Cyril Proch},
  year = 2015,
  chapter = {Using Isabelle/HOL in Certification Processes: 
           A System Description and Mandatory Recommendations},
  editor = {Sergey Tverdyshev and  Oto Havle and Holger Blasum and Bruno Langenstein
           and Werner Stephan and Abderrahmane Feliachi and Yakoub Nemouchi and
           Burkhart Wolff and  Cyril Proch and Freek Verbeek and Julien Schmaltz},
  title = {Used Formal Methods},
  publisher = {The EURO-MILS Project},
  note = {available from the Project site: \url{http://www.euromils.eu/downloads/Deliverables/Y2/2015-EM-UsedFormalMethods-WhitePaper-October2015.pdf}},
  doi = {http://dx.doi.org/10.5281/zenodo.47297}
}
@article{feliachi-wolff:SymbTestgenCirta:2013,
  author = {Abderrahmane Feliachi and  Marie-Claude Gaudel and Burkhart Wolff},
  title = {Symbolic Test-generation in {HOL}-{T}est{G}en/{C}irTA: A Case Study},
  journal = {Int. J. Software Informatics},
  volume = {9},
  number = {2},
  year = {2015},
  pages = {177--203},
  abstract = {HOL-TestGen/CirTA is a theorem-prover based test generation 
                  environment for specifications written in Circus, a 
                  process-algebraic specification language in the tradition 
                  of CSP. HOL-TestGen/CirTA is based on a formal embedding of 
                  its semantics in Isabelle/HOL, allowing to derive rules over 
                  specification constructs in a logically safe way. 
                  Beyond the derivation of algebraic laws and calculi for 
                  process refinement, the originality of HOL-TestGen/ CirTA 
                  consists in an entire derived theory for the generation of 
                  symbolic test-traces, including optimized rules for test-generation 
                  as well as rules for symbolic execution. The deduction process 
                  is automated by Isabelle tactics, allowing to protract the 
                  state-space explosion resulting from blind enumeration of data.
                  
                  The implementation of test-generation procedures in CirTA is 
                  completed by an integrated tool chain that transforms the 
                  initial Circus specification of a system into a set of 
                  equivalence classes (or “symbolic tests”), which were compiled 
                  to conventional JUnit test-drivers.
                  
                  This paper describes the novel tool-chain based on prior 
                  theoretical work on semantics and test-theory and attempts 
                  an evaluation via a medium-sized case study performed on a 
                  component of a real-world safety-critical medical monitoring 
                  system written in Java. We provide experimental measurements 
                  of the kill-capacity of implementation mutants.},
  public = yes,
  url = {https://www.lri.fr/~wolff/papers/journals/2015-cirta-case-study.pdf}
}
@article{DBLP:journals/afp/BruckerBW17,
  author = {Achim D. Brucker and
               Lukas Br{\"{u}}gger and
               Burkhart Wolff},
  title = {Formal Network Models and Their Application to Firewall Policies},
  journal = {Archive of Formal Proofs},
  volume = {2017},
  year = {2017},
  url = {https://www.isa-afp.org/entries/UPF_Firewall.shtml},
  timestamp = {Wed, 25 Jan 2017 16:31:56 +0100},
  biburl = {http://dblp.org/rec/bib/journals/afp/BruckerBW17},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@inproceedings{DBLP:conf/formats/VanBBKVW17,
  author = {Hai Nguyen Van and
               Thibaut Balabonski and
               Fr{\'{e}}d{\'{e}}ric Boulanger and
               Chantal Keller and
               Beno{\^{\i}}t Valiron and
               Burkhart Wolff},
  title = {A Symbolic Operational Semantics for {TESL} - With an Application
               to Heterogeneous System Testing},
  booktitle = {Formal Modeling and Analysis of Timed Systems - 15th International
               Conference, {FORMATS} 2017, Berlin, Germany, September 5-7, 2017,
               Proceedings},
  pages = {318--334},
  year = {2017},
  url = {https://doi.org/10.1007/978-3-319-65765-3_18},
  doi = {10.1007/978-3-319-65765-3_18},
  timestamp = {Fri, 01 Sep 2017 14:18:17 +0200},
  biburl = {http://dblp.org/rec/bib/conf/formats/VanBBKVW17},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2017-FORMATS-TESL.pdf},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@article{brucker-wolff:FormalFirewallTest:2013,
  author = {Achim D. Brucker and Lukas Br\"ugger and Burkhart Wolff},
  title = {Formal Firewall Conformance Testing: An Application of Test and Proof Techniques},
  journal = {Softw. Test., Verif. Reliab.},
  volume = {25},
  number = {1},
  year = {2015},
  pages = {34--71},
  abstract = {Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf products, 
               the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well 
               as the correct configuration. While testing the implementation can be done once by the manufacturer, the 
               configuration needs to be tested for each application individually. This is particularly challenging as the configuration, 
               implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and, 
               thus, difficult to validate.
                    This paper presents a formal model of both stateless and stateful firewalls (packet filters), including network 
               address translation (NAT), to which a specification-based conformance test case generation approach is applied. Furthermore, 
               a verified optimisation technique for this approach is presented: Starting from a formal model for stateless firewalls, 
               a collection of semantics-preserving policy transformation rules and an algorithm that optimises the specification with respect 
               of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates 
               verification and testing, i. e., tests and proofs to support conformance testing of network policies.
                    The presented approach is supported by a test framework that allows to test actual firewalls using the test cases 
               generated based on the formal model. Finally, a report on several larger case studies is presented.
               },
  pdf = {https://www.lri.fr/~wolff/papers/journals/2010-stvr-fw-test.pdf},
  doi = {10.1002/stvr.1544}
}
@inproceedings{DBLP:conf/models/VanBBTVWY15,
  author = {Hai Nguyen Van and
               Thibaut Balabonski and
               Fr{\'{e}}d{\'{e}}ric Boulanger and
               Safouan Taha and
               Beno{\^{\i}}t Valiron and
               Burkhart Wolff and
               Lina Ye},
  title = {Towards a Formal Semantics of the {TESL} Specification Language},
  booktitle = {Joint Proceedings of the 3rd International Workshop on the Globalization
               Of Modeling Languages and the 9th International Workshop on Multi-Paradigm
               Modeling co-located with {ACM/IEEE} 18th International Conference
               on Model Driven Engineering Languages and Systems, GEMOC+MPM@MoDELS
               2015, Ottawa, Canada, September 28, 2015.},
  pages = {14--19},
  year = {2015},
  url = {http://ceur-ws.org/Vol-1511/paper-03.pdf},
  timestamp = {Fri, 20 Nov 2015 15:31:33 +0100},
  biburl = {http://dblp.uni-trier.de/rec/bib/conf/models/VanBBTVWY15},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@incollection{brucker.ea:ipc-testing:2015,
  abstract = {In this paper, we adapt model-based testing techniques to
		  concurrent code, namely for test generations of an
		  (industrial) OS kernel called PikeOS\@. Since our
		  data-models are complex, the problem is out of reach of
		  conventional model-checking techniques. Our solution is
		  based on symbolic execution implemented inside the
		  interactive theorem proving environment Isabelle/HOL
		  extended by a plugin with test generation facilities called
		  HOL-TestGen.
		  
		  As a foundation for our symbolic computing techniques, we
		  refine the theory of monads to embed interleaving
		  executions with abort, synchronization, and shared memory
		  to a general but still optimized behavioral test framework.
		  
		  This framework is instantiated by a model of PikeOS
		  inter-process communication system-calls. Inheriting a
		  micro-architecture going back to the L4 kernel, the system
		  calls of the IPC-API are internally structured by atomic
		  actions; according to a security model, these actions can
		  fail and must produce error-codes. Thus, our tests reveal
		  errors in the enforcement of the security model.},
  keywords = {test program generation, symbolic test case generations,
		  black box testing, testing operating systems,
		  certification, CC, concurrency, interleaving},
  location = {San Francisco, California, USA},
  author = {Achim D. Brucker and Oto Havle and Yakoub Nemouchi and
		  Burkhart Wolff},
  title = {Testing the IPC Protocol for a Real-Time Operating
		  System},
  booktitle = {Working Conference on Verified Software: Theories, Tools,
		  and Experiments},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {9593},
  isbn = {3-540-14031-X},
  editor = {Arie Gurfinkel and Sanjit A. Seshia},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2015-vstte-ipc-testing.pdf},
  issn = {0302-9743},
  categories = {holtestgen},
  classification = {conference},
  areas = {formal methods},
  year = {2015},
  public = {yes},
  doi = {10.1007/978-3-319-29613-5_3},
  url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-ipc-testing-2015}
}
@inproceedings{DBLP:conf/nfm/VerbeekHSTBL0WN15,
  author = {Freek Verbeek and
               Oto Havle and
               Julien Schmaltz and
               Sergey Tverdyshev and
               Holger Blasum and
               Bruno Langenstein and
               Werner Stephan and
               Burkhart Wolff and
               Yakoub Nemouchi},
  title = {Formal {API} Specification of the PikeOS Separation Kernel},
  booktitle = {{NASA} Formal Methods - 7th International Symposium, {NFM} 2015, Pasadena,
               CA, USA, April 27-29, 2015, Proceedings},
  pages = {375--389},
  year = {2015},
  url = {http://dx.doi.org/10.1007/978-3-319-17524-9_26},
  doi = {10.1007/978-3-319-17524-9_26},
  timestamp = {Wed, 08 Apr 2015 14:02:16 +0200},
  biburl = {http://dblp.uni-trier.de/rec/bib/conf/nfm/VerbeekHSTBL0WN15},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@inproceedings{DBLP:conf/models/LonguetTW14,
  author = {Delphine Longuet and Fr{\'{e}}d{\'{e}}ric Tuong and Burkhart Wolff},
  title = {Towards a {T}ool for {F}eatherweight {OCL:} {A} {C}ase {S}tudy {O}n {S}emantic
               {R}eflection},
  booktitle = {Proceedings of the 14th International Workshop on {OCL} and Textual
               Modelling co-located with 17th International Conference on Model Driven
               Engineering Languages and Systems {(MODELS} 2014), Valencia, Spain,
               September 30, 2014.},
  pages = {43--52},
  year = {2014},
  url = {http://ceur-ws.org/Vol-1285/paper05.pdf},
  timestamp = {Wed, 05 Nov 2014 15:39:22 +0100},
  biburl = {http://dblp.uni-trier.de/rec/bib/conf/models/LonguetTW14},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@article{DBLP:journals/afp/BruckerBW14,
  author = {Achim D. Brucker and
               Lukas Br{\"{u}}gger and
               Burkhart Wolff},
  title = {The Unified Policy Framework {(UPF)}},
  journal = {Archive of Formal Proofs},
  volume = {2014},
  year = {2014},
  url = {https://www.isa-afp.org/entries/UPF.shtml},
  timestamp = {Mon, 19 Sep 2016 15:58:56 +0200},
  biburl = {http://dblp.org/rec/bib/journals/afp/BruckerBW14},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@inproceedings{DBLP:conf/models/BruckerCDGGJTW14,
  author = {Achim D. Brucker and
               Tony Clark and
               Carolina Dania and
               Geri Georg and
               Martin Gogolla and
               Fr{\'{e}}d{\'{e}}ric Jouault and
               Ernest Teniente and
               Burkhart Wolff},
  title = {Panel Discussion: Proposals for Improving {OCL}},
  booktitle = {Proceedings of the 14th International Workshop on {OCL} and Textual
               Modelling co-located with 17th International Conference on Model Driven
               Engineering Languages and Systems {(MODELS} 2014), Valencia, Spain,
               September 30, 2014.},
  pages = {83--99},
  year = {2014},
  url = {http://ceur-ws.org/Vol-1285/paper09.pdf},
  timestamp = {Wed, 05 Nov 2014 15:39:22 +0100},
  biburl = {http://dblp.uni-trier.de/rec/bib/conf/models/BruckerCDGGJTW14},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@article{UPF-AFP,
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
  title = {The {U}nified {P}olicy {F}ramework {(UPF)}},
  journal = {Archive of Formal Proofs},
  month = nov,
  year = 2014,
  note = {\url{http://afp.sf.net/entries/UPF.shtml},
            Formal proof development},
  issn = {2150-914x}
}
@article{CISC-Kernel-AFP,
  author = {Freek Verbeek and Sergey Tverdyshev and Oto Havle and Holger Blasum and Bruno Langenstein and Werner Stephan and Yakoub Nemouchi and Abderrahmane Feliachi and Burkhart Wolff and Julien Schmaltz},
  title = {Formal Specification of a Generic Separation Kernel},
  journal = {Archive of Formal Proofs},
  month = jul,
  year = 2014,
  note = {\url{http://afp.sf.net/entries/CISC-Kernel.shtml},
            Formal proof development},
  issn = {2150-914x}
}
@article{jron_et_al:DR:2013:4006,
  author = {Thierry J{\'e}ron and Margus Veanes and Burkhart Wolff},
  title = {{Symbolic Methods in Testing (Dagstuhl Seminar 13021)}},
  pages = {1--29},
  journal = {Dagstuhl Reports},
  issn = {2192-5283},
  year = {2013},
  volume = {3},
  number = {1},
  editor = {Thierry J{\'e}ron and Margus Veanes and Burkhart Wolff},
  publisher = {Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik},
  address = {Dagstuhl, Germany},
  url = {http://drops.dagstuhl.de/opus/volltexte/2013/4006},
  urn = {urn:nbn:de:0030-drops-40060},
  doi = {10.4230/DagRep.3.1.1},
  area = {logical_representations},
  annote = {Keywords: Automated Deduction, White-box testing, 
                 Black-box Testing, Fuzz-Testing, Unit-Testing,
                 Theorem prover-based Testing}
}
@incollection{feliachi.ea:cirta:2013,
  abstract = {Formal specifications provide strong bases for testing and 
                    bring powerful techniques and technologies. Expressive formal 
                    specification languages combine large data domain and behavior. 
                    Thus, symbolic methods have raised particular interest for 
                    test generation techniques. Integrating formal testing in 
                    proof environments such as Isabelle/HOL is referred to as 
                    “theorem-prover based testing”. Theorem-prover based testing 
                    can be adapted to a specific specification language via a 
                    representation of its formal semantics, paving the way for 
                    specific support of its constructs. The main challenge of 
                    this approach is to reduce the gap between pen-and-paper 
                    semantics and formal mechanized theories.
                      In this paper we 
                    consider testing based on the Circus specification language. 
                    This language integrates the notions of states and of 
                    complex data in a Z-like fashion with communicating 
                    processes inspired from CSP. We present a machine-checked 
                    formalization in Isabelle/HOL of this lan- guage and its 
                    testing theory. Based on this formal representation of the 
                    semantics we revisit the original associated testing theory.
                    We discovered unforeseen simplifications in both definitions 
                    and symbolic computations. The approach lends itself to the 
                    construction of a tool, that directly uses semantic definitions 
                    of the language as well as derived rules of its testing theory, 
                    and thus provides some powerful sym- bolic computation 
                    machinery to seamlessly implement them both in a technical 
                    environment. },
  keywords = {symbolic test case generations, black box testing, theorem
		  proving, network security, firewall testing, conformance
		  testing},
  location = {Wellington},
  author = {Abderrahmane Feliachi and Marie-Claude Gaudel and Makarius Wenzel and Burkhart Wolff},
  booktitle = {Formal Methods and Software Engineering - 15th International Conference on Formal Engineering Methods(ICFEM)},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {8144},
  title = {The Circus Testing Theory Revisited in Isabelle/HOL},
  categories = {holtestgen},
  classification = {conference},
  areas = {formal testing, semantics, formal methods},
  year = {2013},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2013-Circus-testing.pdf}
}
@incollection{brucker.ea:hol-testgen-fw:2013,
  abstract = { The HOL-TestGen environment is conceived as a system for
		  modeling and semi-automated test generation with an
		  emphasis on expressive power and generality. However, its
		  underlying technical framework Isabelle/HOL supports the
		  customization as well as the development of highly
		  automated add-ons working in specific application domains.
		  
		  In this paper, we present HOL-TestGen/fw, an add-on for the
		  test framework HOL-TestGen, that allows for testing the
		  conformance of firewall implementations to high-level
		  security policies. Based on generic theories specifying a
		  security-policy language, we developed specific theories
		  for network data and firewall policies. On top of these
		  firewall specific theories, we provide mechanisms for
		  policy transformations based on derived rules and adapted
		  code-generators producing test drivers. Our empirical
		  evaluations shows that HOL-TestGen/fw is a competitive
		  environment for testing firewalls or high-level policies of
		  local networks. },
  keywords = {symbolic test case generations, black box testing, theorem
		  proving, network security, firewall testing, conformance
		  testing},
  location = {Shanghai},
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
  booktitle = {International Colloquium on Theoretical Aspects of Computing (ICTAC)},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {8049},
  title = {HOL-TestGen/FW: An Environment for Specification-based
		   Firewall Conformance Testing},
  categories = {holtestgen},
  classification = {conference},
  areas = {security, formal methods},
  year = {2013},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2013-ictac-hol-testgen-fw.pdf}
}
@inproceedings{DBLP:conf/mkm/BarrasGHRTWW13,
  author = {Bruno Barras and
               Lourdes Del Carmen Gonz{\'a}lez-Huesca and
               Hugo Herbelin and
               Yann R{\'e}gis-Gianas and
               Enrico Tassi and
               Makarius Wenzel and
               Burkhart Wolff},
  title = {Pervasive Parallelism in Highly-Trustable Interactive Theorem
               Proving Systems},
  booktitle = {MKM/Calculemus/DML},
  year = {2013},
  pages = {359-363},
  doi = {10.1007/978-3-642-39320-4_29},
  pdf = {http://www.lri.fr/~wolff/papers/conf/CICM13-PervasiveParallsm.pdf},
  area = {logical_representations},
  bibsource = {DBLP, http://dblp.uni-trier.de},
  classification = {conference},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = {7961},
  abstract = {Interactive theorem proving is a technology of fundamental 
  importance for mathematics and computer-science. It is based on expressive 
  logical foundations and implemented in a highly trustable way. Applications 
  include huge mathematical proofs and semi-automated verifications of complex 
  software systems. Interactive development of larger and larger proofs 
  increases the demand for computing power, which means explicit parallelism 
  on current multicore hardware.
The architecture of contemporary interactive 
  provers such as Coq, Isabelle or the HOL family goes back to the influential 
  LCF system from 1979, which has pioneered key principles like correctness 
  by construction for primitive inferences and definitions, free programmability 
  in userspace via ML, and toplevel command interaction. Both Coq and Isabelle 
  have elaborated the prover architecture over the years, driven by the demands 
  of sophisticated proof procedures, derived specification principles, large 
  libraries of formalized mathematics etc. Despite this success, the operational 
  model of interactive proof checking was limited by sequential ML evaluation 
  and the sequential read-eval-print loop, as inherited from LCF.}
}
@article{DBLP:journals/corr/BarrasGHRTWW13,
  author = {Bruno Barras and
               Lourdes Del Carmen Gonz{\'{a}}lez{-}Huesca and
               Hugo Herbelin and
               Yann R{\'{e}}gis{-}Gianas and
               Enrico Tassi and
               Makarius Wenzel and
               Burkhart Wolff},
  title = {Pervasive Parallelism in Highly-Trustable Interactive Theorem Proving
               Systems},
  journal = {CoRR},
  volume = {abs/1305.7360},
  year = {2013},
  url = {http://arxiv.org/abs/1305.7360},
  archiveprefix = {arXiv},
  eprint = {1305.7360},
  timestamp = {Wed, 07 Jun 2017 14:43:08 +0200},
  biburl = {http://dblp.org/rec/bib/journals/corr/BarrasGHRTWW13},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@inproceedings{Brucker:2013:TAP,
  author = {Brucker, Achim D. and Feliachi, Abderrahmane and Nemouchi, 
              Yakoub and Wolff, Burkhart},
  title = {Test Program Generation for a Microprocessor -- A Case-Study},
  booktitle = {Proceedings of the 6th Intl. Conf. on Test and Proof (TAP '13)},
  series = {Lecture Notes in Computer Science},
  volume = {LNCS 7942},
  year = {2013},
  location = {Budapest, Hungaria},
  pages = {76--95},
  numpages = {20},
  classification = {conference},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2013-tap-tproc-testgen.pdf},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2013-TapPresentation.pdf},
  publisher = {Springer LNCS},
  doi = {10.1007/978-3-642-38916-0_5},
  area = {logical_representations},
  domain = {os_test},
  abstract = {Certifications of critical security or safety system properties are 
             becoming increasingly important for a wide range of products. 
             Certifying large systems like operating systems up to Common 
             Criteria EAL 4 is common practice today, and higher certification 
             levels are at the brink of becoming reality.
             To reach EAL 7 one has 
             to formally verify properties on the specification as well as test 
             the implementation thoroughly. This includes tests of the used 
             hardware platform underlying a proof architecture to be certified. 
             In this paper, we address the latter problem: we present a case 
             study that uses a formal model of a microprocessor and generate 
             test programs from it. These test programs validate that a 
             microprocessor implements the specified instruction set correctly.
             We built our case study on an existing model that was, together 
             with an operating system, developed in Isabelle/HOL. We use 
             HOL-TestGen, a model-based testing environment which is an 
             extension of Isabelle/HOL. We develop several conformance test 
             scenarios, where processor models were used to synthesize test 
             programs that were run against real hard- ware in the loop. 
             Our test case generation approach directly benefits from the 
             existing models and formal proofs in Isabelle/HOL.},
  keywords = {test program generation, symbolic test case generations, 
             black box testing, white box testing, theorem proving, 
             interactive testing}
}
@inproceedings{Brucker:2012:FOS:2428516.2428520,
  author = {Brucker, Achim D. and Wolff, Burkhart},
  title = {Featherweight OCL: a study for the consistent semantics of OCL 2.3 in HOL},
  booktitle = {Proceedings of the 12th Workshop on OCL and Textual Modelling},
  series = {OCL '12},
  year = {2012},
  isbn = {978-1-4503-1799-3},
  location = {Innsbruck, Austria},
  pages = {19--24},
  numpages = {6},
  url = {10.1145/2428516.2428520},
  doi = {10.1145/2428516.2428520},
  acmid = {2428520},
  pdf = {http://www.lri.fr/~wolff/papers/workshop/featherweight-ocl.pdf},
  publisher = {ACM},
  address = {New York, NY, USA},
  area = {logical_representations},
  domain = {os_test},
  classification = {conference},
  keywords = {HOL-OCL, OCL, formal semantics}
}
@article{Feliachi-Wolff-Gaudel-AFP12,
  author = {Abderrahmane Feliachi and Burkhart Wolff and Marie-Claude Gaudel},
  title = {Isabelle/Circus},
  journal = {Archive of Formal Proofs},
  month = jun,
  year = 2012,
  note = {\url{http://afp.sourceforge.net/entries/Circus.shtml}, 
              Formal proof development},
  area = {logical_representations},
  abstract = {The Circus specification language combines elements for 
     complex data and behavior specifications, using an integration of Z and CSP 
     with a refinement calculus. Its semantics is based on Hoare and He's 
     Unifying Theories of Programming (UTP). Isabelle/Circus is a formalization of 
     the UTP and the Circus language in Isabelle/HOL. It contains proof rules and 
     tactic support that allows for proofs of refinement for Circus processes 
     (involving both data and behavioral aspects).
     The Isabelle/Circus environment supports a syntax for the semantic 
     definitions which is close to textbook presentations of Circus. This 
     article contains an extended version of corresponding VSTTE Paper together 
     with the complete formal development of its underlying commented theories.},
  issn = {2150-914x}
}
@proceedings{DBLP:conf/utp/2008,
  editor = {Burkhart Wolff and Marie-Claude Gaudel and Abderrahmane Feliachi},
  title = {Unifying Theories of Programming, 4th International Symposium, 
	  UTP 2012, Paris, France, August 27-28, 2012, Revised Selected Papers},
  booktitle = {UTP},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = {LNCS 7681},
  year = 2013,
  isbn = {978-3-642-35704-6}
}
@techreport{brucker.ea:hol-testgen:2012,
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Matthias P.
		  Krieger and Burkhart Wolff},
  institution = {Laboratoire en Recherche en Infromatique (LRI),
		  Universit\'e Paris-Sud 11, France},
  language = {USenglish},
  month = apr,
  title = {{HOL-TestGen} 1.7.0 User Guide},
  categories = {testing,holtestgen},
  classification = {unrefereed},
  areas = {formal methods, software},
  keywords = {symbolic test case generations, black box testing, theorem
		  proving, Isabelle/HOL},
  year = {2012},
  number = {1551},
  area = {logical_representations},
  num_pages = {120},
  pdf = {http://www.brucker.ch/bibliography/download/2012/brucker.ea-hol-testgen-2012.pdf},
  public = {yes},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2012}
}
@inproceedings{feliachigw12,
  author = {Abderrahmane Feliachi and
               Marie-Claude Gaudel and
               Burkhart Wolff},
  title = {Isabelle/{C}ircus: A Process Specification and Verification Environment},
  booktitle = {VSTTE},
  year = {2012},
  pages = {243-260},
  series = {Lecture Notes in Computer Science},
  volume = {LNCS 7152},
  isbn = {978-3-642-27704-7},
  ee = {http://dx.doi.org/10.1007/978-3-642-27705-4_20},
  doi = {10.1007/978-3-642-27705-4_20},
  abstract = {The Circus specification language combines elements for complex data and behavior specifications, 
              using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and 
              He's unifying theories of programming (UTP). We develop a machine-checked, formal semantics based 
              on a "shallow embedding" of Circus in Isabelle/UTP (our semantic theory of UTP based on Isabelle/HOL). 
              We derive proof rules from this semantics and imple- ment tactic support that finally allows for 
              proofs of refinement for Circus processes (involving both data and behavioral aspects). 
              This proof environment supports a syntax for the semantic definitions which is close to textbook 
              presentations of Circus.  },
  pdf = {http://www.lri.fr/~wolff/papers/conf/VSTTE-IsabelleCircus11.pdf},
  classification = {conference},
  area = {logical_representations},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}
@techreport{feliachi11rapport-lri,
  author = {Abderrahmane Feliachi},
  title = {Representing {C}ircus {O}perational {S}emantics in {I}sabelle/{HOL}},
  institution = {LRI, http://www.lri.fr/Rapports-internes},
  year = 2011,
  number = 1544,
  address = {Universit{\'e} Paris-Sud XI},
  month = {August},
  pdf = {http://www.lri.fr/~bibli/Rapports-internes/2011/RR1544.pdf},
  x-equipes = {fortesse},
  x-type = {article},
  x-support = {rapport}
}
@article{DBLP:journals/eceasst/CabotCGW11,
  author = {Jordi Cabot and
               Robert Claris{\'o} and
               Martin Gogolla and
               Burkhart Wolff},
  title = {Preface (OCL 2011 Proceedings)},
  journal = {ECEASST},
  volume = {44},
  year = {2011},
  ee = {http://journal.ub.tu-berlin.de/eceasst/article/view/666},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}
@proceedings{DBLP:conf/pts/2011,
  editor = {Burkhart Wolff and Fatiha Za\"{\i}di},
  title = {Testing Software and Systems - 23rd IFIP WG 6.1 International
               Conference, ICTSS 2011, Paris, France, November 7-10, 2011.
               Proceedings},
  booktitle = {ICTSS},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = {7019},
  year = {2011},
  isbn = {978-3-642-24579-4},
  ee = {http://dx.doi.org/10.1007/978-3-642-24580-0},
  doi = {10.1007/978-3-642-24580-0},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}
@proceedings{DBLP:conf/tap/2011,
  editor = {Martin Gogolla and Burkhart Wolff},
  title = {Tests and Proofs - 5th International Conference, TAP 2011,
               Zurich, Switzerland, June 30 - July 1, 2011. Proceedings},
  booktitle = {TAP},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = {6706},
  year = {2011},
  isbn = {978-3-642-21767-8},
  bibsource = {DBLP, http://dblp.uni-trier.de},
  url = {http://www.lri.fr/~wolff/papers/conf/2011-sacmat-mbtsec-npfit.pdf},
  ee = {http://dx.doi.org/10.1007/978-3-642-21768-5},
  doi = {10.1007/978-3-642-21768-5}
}
@incollection{2011-sacmat-mbtsec-npfit,
  author = {Achim D. Brucker and Lukas Br\"ugger and Paul Kearney and Burkhart Wolff},
  title = {An Approach to Modular and Testable Security Models of Real-world Health-Care Applications},
  pages = {133-142},
  publisher = {ACM},
  year = {2011},
  series = {Proceedings of the ACM Symposium on Access control models and technologies},
  abstract = {We present a generic modular policy modelling framework and instantiate it with a substantial 
            case study for model- based testing of some key security mechanisms of applications and services of the NPfIT. 
            NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT 
            infrastructure of the National Health Service (NHS) in England. Consisting of heteroge- neous and distributed 
            applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical 
            security features.
            We model the four information governance principles, comprising a role-based access control model, as well 
            as policy rules governing the concepts of patient consent, sealed en- velopes and legitimate relationships. 
             The model is given in Higher-order Logic (HOL) and processed together with suitable test specifications in 
            the HOL-TestGen system, that generates test sequences according to them. Particular em- phasis is put on the 
           modular description of security poli- cies and their generic combination and its consequences for 
           model-based testing.},
  note = {SACMAT 2011},
  doi = {10.1145/1998441.1998461},
  area = {logical_representations},
  pdf = {http://www.brucker.ch/bibliography/download/2011/brucker.ea-model-based-2011.pdf}
}
@incollection{feliachi:uznifying-theories:2010,
  title = {{U}nifying {T}heories in {I}sabelle/{HOL}},
  abstract = { In this paper, we present various extensions of Isabelle/HOL by
                   theories that are essential for several formal methods.  First, we
                   explain how we have developed an Isabelle/HOL theory for a part of
                   the Unifying Theories of Programming (UTP).  It contains the
                   theories of alphabetized relations and designs.  Then we explain how
                   we have encoded first the theory of reactive processes and then the UTP theory
                   for CSP.  Our work takes advantage of the rich existing logical core
                   of HOL.

                   Our extension contains the proofs for most of the lemmas and
                   theorems presented in the UTP book. Our goal is to propose a
                   framework that will allow us to deal with formal methods that are
                   semantically based, partly or totally, on UTP, for instance CSP and
                   xsCircus . The theories presented here will allow us to make proofs about
                   such specifications and to apply verified transformations on them,
                   with the objective of assisting refinement and test generation.
                   \keywords{UTP, Theorem Proving, Isabelle/HOL, CSP, Circus}},
  keywords = {UTP, Theorem Proving, Symbolic test case generations, Isabelle/HOL},
  author = {Abderrahmane Feliachi and Marie-Claude Gaudel and Burkhart Wolff},
  booktitle = {Unifying Theories of Programming {(UTP2010)}},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {6445},
  classification = {conference},
  ee = {http://dx.doi.org/10.1007/978-3-642-16690-7_9},
  year = {2010},
  doi = {10.1007/978-3-642-16690-7_9},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2010-utp-unifying-theories.pdf},
  area = {logical_representations},
  public = {yes}
}
@techreport{wolff:FMWettbebwerb:2009,
  author = {Burkhart Wolff},
  title = {Top-down vs. {B}ottom-up: {F}ormale {M}ethoden im wissenschaftlichen {W}ettbewerb. {E}in essayistischer {S}urvey \"uber den {S}tand der {K}unst.},
  institution = {DFKI Technischer Bericht},
  year = 2009,
  pdf = {http://www.lri.fr/~wolff/papers/other/festschrift.pdf},
  note = {Erschienen in der Festschrift zum 60. Geburtstag von Bernd Krieg-Br\"uckner.},
  abtract = {In diesem Beitrag wird versucht, einen \"Uberblick \"uber
                  den Wettbewerb zweier konkurrierender
                  Forschungsprogramme --- genannt Top-down oder
                  Transformationelle Entwicklungsmethodik versus
                  Bottom-up oder post-hoc Programmverifikation ---
                  Bereich “For- maler Methoden” zu geben. Als
                  Einordnungsrahmen benutze ich Lakatos's Konzept
                  des "wissenschaftlichen Forschungsprogramms". Es
                  ergibt sich ein bewusst altmodischer Versuch --- im
                  Gegensatz zu modischen bibliometrischen Kriterien
                  (vulgo: Zahlen von Ver\"offentlichungen) ---
                  inhaltliche Kriterien f\"ur die Qualit\"at und damit
                  den Fortschritt der wissenschaftlichen Arbeit in
                  unserem Gebiet zu entwickeln.}
}
@inproceedings{Brucker.ea:SpecificationBased:2010,
  author = {Achim D. Brucker and Matthias P. Krieger and Delphine Longuet and Burkhart Wolff},
  title = {{A} {S}pecification-based {T}est {C}ase {G}eneration {M}ethod for {UML}/{OCL}},
  abstract = {Automated test data generation is an important method
                  for the verification and validation of UML/OCL
                  specifications. In this paper, we present an
                  extension of DNF-based test case generation methods
                  to class models and recursive query operations on
                  them. A key feature of our approach is an implicit
                  representation of object graphs avoiding a repre-
                  sentation based on object-id's; thus, our approach
                  avoids the generation of isomorphic object graphs by
                  using a concise and still human-readable symbolic
                  representation.},
  pdf = {http://www.lri.fr/~wolff/papers/workshop/ocl-testing.pdf},
  booktitle = {Proceedings of the Workshop on OCL and Textual Modelling (OCL 2010)},
  classification = {conference},
  year = 2010,
  doi = {10.1007/978-3-642-21210-9_33},
  area = {logical_representations},
  note = {LNCS 6627}
}
@inproceedings{Krieger.ea:2010,
  author = {Matthias P. Krieger and Alexander Knapp and Burkhart Wolff},
  title = {{A}utomatic and {E}fficient {S}imulation of {O}peration {C}ontracts},
  booktitle = {Ninth International Conference on Generative Programming and Component Engineering (GPCE'10)},
  year = 2010,
  publisher = {IEEE Computer Society},
  copyright = {IEEE Computer Society},
  editor = {Eelco Visser and Jaakko Jarvi and Giorgios Economopoulos},
  isbn = {978-1-4503-0154-1},
  doi = {10.1145/1868294.1868303},
  classification = {conference},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2010-gpce-operation-contracts.pdf},
  abstract = {Operation contracts consisting of pre- and
                  postconditions are a well-known means of specifying
                  operations. In this paper we deal with the problem
                  of operation contract simulation, i.e., determining
                  operation results satisfying the postconditions
                  based on input data supplied by the user; simulating
                  operation contracts is an important technique for
                  requirements validation and prototyping. Current
                  approaches to operation contract simulation exhibit
                  poor performance for large sets of input data or
                  require additional guidance from the user. We show
                  how these problems can be alleviated and describe an
                  efficient as well as fully automatic approach. It is
                  implemented in our tool OCLexec that generates from
                  UML/OCL operation contracts corresponding Java
                  implementations which call a constraint solver at
                  runtime. The generated code can serve as a
                  prototype. A case study demonstrates that our
                  approach can handle problem instances of
                  considerable size.}
}
@article{brucker.ea:2010,
  author = {Achim D. Brucker and Lukas Br\"ugger and Paul Kearney and Burkhart Wolff},
  journal = {Software Testing, Verification, and Validation, 2010 International Conference on},
  volume = {0},
  title = {{V}erified {F}irewall {P}olicy {T}ransformations for {T}est {C}ase {G}eneration},
  year = 2010,
  isbn = {978-0-7695-3990-4},
  pages = {345-354},
  publisher = {IEEE Computer Society},
  copyright = {IEEE Computer Society},
  booktitle = {International Conference on Software Testing {(ICST10)}},
  location = {Paris, France},
  editor = {Ana Cavalli and Sudipto Ghosh},
  classification = {conference},
  doi = {10.1109/ICST.2010.50},
  address = {Los Alamitos, CA, USA},
  area = {logical_representations},
  pdf = {http://www.lri.fr/~wolff/papers/conf/firewall-reloaded.pdf},
  abstract = {We present an optimization technique for model-based generation of
                   test cases for firewalls. Based on a formal model for firewall
                   policies in higher-order logic, we derive a collection of
                   semantics-preserving policy transformation rules and an algorithm
                   that optimizes the specification with respect of the number of
                   test cases required for path coverage.  The correctness of the rules
                   and the algorithm is established by formal proofs in
                   Isabelle/\acs{hol}. Finally, we use the normalized policies to
                   generate test cases with the domain-specific firewall testing tool
                   \testgenFW.
 
                   The resulting procedure is characterized by a gain in efficiency
                   of two orders of magnitude and can handle configurations with
                   hundreds of rules as occur in practice.
                  
                   Our approach can be seen as an instance of a methodology to
                   tame inherent state-space explosions in test case generation for
                   security policies.}
}
@inproceedings{DBLP:conf/models/BruckerLTW13,
  author = {Achim D. Brucker and
               Delphine Longuet and
               Fr{\'e}d{\'e}ric Tuong and
               Burkhart Wolff},
  title = {On the {S}emantics of {O}bject-{O}riented {D}ata {S}tructures and
               {P}ath {E}xpressions},
  booktitle = {OCL@MoDELS},
  year = {2013},
  pages = {23-32},
  ee = {http://ceur-ws.org/Vol-1092/brucker.pdf},
  publisher = {CEUR-WS.org},
  series = {CEUR Workshop Proceedings},
  volume = {1092}
}
@inproceedings{DBLP:conf/models/BruckerCCDGPRWW13,
  author = {Achim D. Brucker and
               Dan Chiorean and
               Tony Clark and
               Birgit Demuth and
               Martin Gogolla and
               Dimitri Plotnikov and
               Bernhard Rumpe and
               Edward D. Willink and
               Burkhart Wolff},
  title = {Report on the Aachen OCL Meeting},
  booktitle = {OCL@MoDELS},
  year = {2013},
  pages = {103-111},
  ee = {http://ceur-ws.org/Vol-1092/aachen.pdf},
  publisher = {CEUR-WS.org},
  series = {CEUR Workshop Proceedings},
  volume = {1092},
  year = {2013}
}
@article{brucker.ea:2012,
  author = {Achim D. Brucker and Burkhart Wolff},
  title = {On {T}heorem {P}rover-based {T}esting},
  journal = {Formal Asp. Comput. (FAOC)},
  year = {2013},
  month = sept,
  volume = {25},
  number = {5},
  pages = {683--721},
  abstract = {\emph{HOL-TestGen} is a specification and test case generation
                  environment extending the interactive theorem prover
                  Isabelle/HOL. As such, HOL-TestGen allows for an
                  integrated workflow supporting interactive theorem
                  proving, test case generation, and test data
                  generation.  The HOL-TestGen method is two-staged:
                  first, the original formula is partitioned into test
                  cases by transformation into a normal form called
                  test theorem. Second, the test cases are analyzed
                  for ground instances (the test data) satisfying the
                  constraints of the test cases. Particular emphasis
                  is put on the control of explicit test-hypotheses
                  which can be proven over concrete programs.  Due to
                  the generality of the underlying framework, our
                  system can be used for black-box unit, sequence,
                  reactive sequence and white-box test
                  scenarios. Although based on particularly clean
                  theoretical foundations, the system can be applied
                  for substantial case-studies.},
  pdf = {http://www.lri.fr/~wolff/papers/journals/brucker.ea-hol-testgen-2008.rev-1.pdf},
  keywords = {Isabelle/HOL, Theorem proving, Model-based Testing, Program-based Testing, Testcase Generation},
  doi = {10.1007/s00165-012-0222-y},
  area = {logical_representations},
  classification = {journal}
}
@article{boehme.ea:2009,
  author = {Sascha B\"ohme and Micha{\l} Moskal and Wolfram
                  Schulte and Burkhart Wolff},
  title = {{HOL}-{B}oogie --- {A}n {I}nteractive {P}rover-{B}ackend for the {V}erified {C} {C}ompiler},
  journal = {Journal of Automated Resoning (JAR)},
  year = 2009,
  abstract = {\emph{Boogie} is a verification condition generator for
                  an imperative core language.  It has front-ends for
                  the programming languages C{\#} and C enriched by
                  annotations in first-order logic, ie pre- and
                  postconditions, assertions, and loop invariants.
                  Moreover, concepts like ghost fields, ghost
                  variables, ghost code and speci\-fication functions
                  have been introduced to support a specific modeling
                  methodology.  Boogie's verification conditions ---
                  constructed via a $\mathit{wp}$ calculus from
                  annotated programs --- are usually transferred to
                  automated theorem provers such as \emph{Simplify} or
                  \emph{Z3}. This also comprises the expansion of
                  language-specific modeling constructs in terms of a
                  theory describing memory and elementary operations
                  on it; this theory is called \emph{machine/memory
                  model}.  In this paper, we present a proof
                  environment, HOL-Boogie, that combines Boogie with
                  the interactive theorem prover Isabelle/\HOL, for a
                  specific C front-end and machine/memory model.  In
                  particular, we present specific techniques combining
                  automated and interactive proof methods for code
                  verification. The main goal of our environment is to
                  help program verification engineers in their task to
                  ``debug'' annotations and to find combined proofs
                  where purely automatic proof attempts fail.  },
  doi = {10.1007/s10817-009-9142-9},
  volume = 44,
  number = {1--2},
  pages = {111--144},
  pdf = {http://www.lri.fr/~wolff/papers/journals/hol-boogie.pdf},
  keywords = {Isabelle/HOL, Theorem proving, Program verification, Memory models, Annotation languages},
  classification = {journal}
}
@article{brucker.ea:2009,
  author = {Achim D. Brucker and Burkhart Wolff},
  title = {{S}emantics, {C}alculi, and {A}nalysis for {O}bject-{O}riented {S}pecifications},
  journal = {Acta Informatica},
  volume = 46,
  number = 4,
  pages = {255--284},
  year = 2009,
  abstract = {We present a formal semantics for an object-oriented
                  specification language. The formal semantics is
                  presented as a conservative shallow embedding in
                  Isabelle/HOL and the language is oriented towards
                  OCL formulae in the context of UML class
                  diagrams. On this basis, we formally derive several
                  equational and tableaux calculi, which form the
                  basis of an integrated proof environment including
                  automatic proof support and support for the analysis
                  of this type of specifications.  We show applications
                  of our proof environment to data refinement based on
                  an adapted standard refinement notion. Thus, we
                  provide an integrated formal method for refinement-based 
                  object-oriented development. },
  pdf = {http://www.lri.fr/~wolff/papers/journals/acta-holocl.pdf},
  keywords = {UML , OCL , object-oriented specification , refinement , formal methods},
  doi = {10.1007/s00236-009-0093-8},
  area = {logical_representations},
  classification = {journal}
}
@article{daum.ea:fairness:2009,
  author = {Matthias Daum and Jan D\"{o}rrenb\"{a}cher and Burkhart Wolff},
  title = {{P}roving {F}airness and {I}mplementation {C}orrectness of a {M}icrokernel {S}cheduler},
  journal = {Journal of Automated Reasoning (JAR)},
  volume = 42,
  number = {2--4},
  year = 2009,
  pdf = {http://www.lri.fr/~wolff/papers/journals/pre-fairness.pdf},
  pages = {349--388},
  publisher = {Springer Verlag},
  abstract = {We report on the formal proof of a microkernel's key
                  property, namely the fairness property of its
                  multi-priority process scheduler. The proof
                  architecture links a layer of behavioral reasoning
                  over system-trace sets with a concrete, fairly
                  realistic implementation written in C.  Our
                  microkernel provides an infra-structure for memory
                  virtualization, for communication with hardware
                  devices, for processes (represented as a sequence of
                  assembler instructions, which are executed
                  concurrently over an underlying, formally defined
                  processor), and for inter-process communication
                  (IPC) via synchronous message passing. The kernel
                  establishes process switches according to IPCs and
                  timer-events; however, the scheduling of process
                  switches follows a hierarchy of priorities,
                  favoring, e. g., system processes over application
                  processes over maintenance processes.  Besides the
                  quite substantial models developed in Isabelle/HOL
                  and the formal clarification of their relationship,
                  we provide a detailed analysis what formal
                  requirements a microkernel imposes on the key
                  ingredients (hardware, timers, machine-dependent
                  code) in order to establish the correct operation of
                  the overall system. On the methodological side, we
                  show how early modeling with hindsight to the later
                  verification has substantially helped our project.},
  doi = {10.1007/s10817-009-9119-8},
  note = {G. Klein, R. Huuck and B. Schlich: Special Issue on Operating System Verification (2008).},
  keywords = {Microkernel, Formal verification, Interactive theorem proving, Isabelle/HOL},
  area = {logical_representations},
  classification = {journal}
}
@incollection{brucker.ea:hol-testgen:2009,
  title = {{HOL-TestGen:} {A}n {I}nteractive {T}est-case {G}eneration {F}ramework},
  abstract = {We present HOL-TestGen, an extensible test environment for
		  specification-based testing build upon the proof assistant
		  Isabelle. HOL-TestGen leverages the semi-automated
		  generation of test theorems (a form of a partition), and
		  their refinement to concrete test data, as well as the
		  automatic generation of a test driver for the execution and
		  test result verification.
		  
		  HOL-TestGen can also be understood as a unifying technical
		  and conceptual framework for presenting and investigating
		  the variety of unit and sequence test techniques in a
		  logically consistent way. },
  keywords = {symbolic test case generations, black box testing, white
		  box testing, theorem proving, interactive testing},
  location = {York, UK},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Fundamental Approaches to Software Engineering
		  {(FASE09)}},
  language = {USenglish},
  publisher = {Springer-Verlag},
  address = {Heidelberg},
  series = {Lecture Notes in Computer Science},
  number = {5503},
  doi = {10.1007/978-3-642-00593-0_28},
  pages = {417--420},
  editor = {Marsha Chechik and Martin Wirsing},
  categories = {holtestgen},
  classification = {conference},
  year = {2009},
  pdf = {http://www.brucker.ch/bibliography/download/2009/brucker.ea-hol-testgen-2009.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2009/brucker.ea-hol-testgen-2009.ps.gz},
  public = {yes},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2009}
}
@incollection{aspinall.ea:assisted:2005,
  title = {{A}ssisted {P}roof {D}ocument {A}uthoring},
  abstract = {Significant advances have been made in formalised
		  mathematical texts for large, demanding proofs. But
		  although such large developments are possible, they still
		  take an inordinate amount of effort and there is a
		  significant gap between the resulting formalised
		  machinecheckable proof scripts and the corresponding
		  human-readable mathematical texts. We present an authoring
		  system for formal proof which addresses these concerns. It
		  is based on a central document format which, in the
		  tradition of literate programming, allows one to extract
		  either a formal proof script or a human-readable document;
		  the two may have differing structure and detail levels, but
		  are developed together in a synchronised way. Additionally,
		  we introduce ways to assist production of the central
		  document, by allowing tools to contribute backflow to
		  update and extend it. Our authoring system builds on the
		  new PG Kit architecture for Proof General, bringing the
		  extra advantage that it works in a uniform interface,
		  generically across various interactive theorem provers.},
  author = {David Aspinall and Christoph L\"uth and Burkhart Wolff},
  booktitle = {Fourth International Conference on Mathematical Knowledge
		  Management (MKM 05)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/11618027_5},
  language = {USenglish},
  publisher = {Springer Verlag},
  pdf = {http://www.lri.fr/~wolff/papers/conf/aspinall-authoring-mkm-06.pdf},
  series = {LNCS 3863.},
  year = 2005,
  classification = {conference}
}
@article{basin.ea:berichte:2000,
  author = {David Basin and Luca Vigan{\`o} and Burkhart Wolff},
  classification = {conference},
  file = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2000/overview.ps.gz},
  filelabel = {English translation},
  journal = {PIK (Praxis der Informationsverarbeitung und
		  Kommunikation)},
  language = {german},
  number = 4,
  pages = {248--249},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2000/uebersicht.pdf},
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2000/uebersicht.ps.gz},
  title = {Berichte aus den Instituten: Lehrstuhl f{\"u}r
		  Softwaretechnik und Softwareproduktionsumgebung, Freiburg},
  volume = 23,
  year = 2000
}
@techreport{basin.ea:specifying:2005,
  abstract = {We report on a case-study in using the data-oriented
		  modeling language Z to formalize a security architecture
		  for administering digital signatures and its architectural
		  security requirements. Within an embedding of Z in the
		  higher-order logic Isabelle/HOL, we provide formal
		  machine-checked proofs of the correctness of the
		  architecture with respect to its requirements. A
		  formalization and verification of the same architecture has
		  been previously carried out using the process-oriented
		  modeling language PROMELA and the SPIN model checker. We
		  use this as a basis for comparing these two different
		  approaches to formalization (infinite state with rich data
		  types versus finite state) and verification (theorem
		  proving versus model checking).},
  author = {David Basin and Hironobu Kuruma and Kazuo Takaragi and
		  Burkhart Wolff},
  institution = {Computer Security Group, ETH Z\"urich},
  language = {USenglish},
  month = 1,
  number = 471,
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2005/HSD.pdf},
  title = {{S}pecifying and {V}erifying {H}ysteresis {S}ignature {S}ystem with {HOL-Z}},
  year = 2005,
  user = {wolff}
}
@article{DBLP:journals/fac/BruckerW13,
  author = {Achim D. Brucker and
               Burkhart Wolff},
  title = {On theorem prover-based testing},
  journal = {Formal Asp. Comput.},
  volume = {25},
  number = {5},
  pages = {683--721},
  year = {2013},
  url = {https://doi.org/10.1007/s00165-012-0222-y},
  doi = {10.1007/s00165-012-0222-y},
  timestamp = {Tue, 06 Jun 2017 22:21:37 +0200},
  biburl = {http://dblp.org/rec/bib/journals/fac/BruckerW13},
  bibsource = {dblp computer science bibliography, http://dblp.org}
}
@proceedings{basin.ea:theorem:2003,
  abstract = {This book constitutes the refereed proceedings of the 16th
		  International Conference on Theorem Proving in Higher Order
		  Logics, TPHOLs 2003, held in Rome, Italy in September 2003.
		  The 24 revised full papers presented together with an
		  invited paper were carefully reviewed and selected from 50
		  submissions. The papers are organized in topical sections
		  on hardware and Assembler languages, proof automation, fool
		  combination, logic extensions, theorem prover technology,
		  mathematical theories, and security. Among the theorem
		  proving systems discussed are HOL, Coq, MetaPRL, and
		  Isabelle/Isar.Geschrieben f\"ur:Researchers and
		  professionalsSchlagworte: automated deduction formal
		  methods formal verification hardware verification
		  higher-order logic logic design mathematical logic model
		  checking program verification proof theory theorem provers
		  theorem proving unification},
  address = {Rome, Italy},
  copyright = {\ Springer-Verlag},
  doi = {10.1007/b11935},
  editor = {David Basin and Burkhart Wolff},
  language = {USenglish},
  month = {Sep},
  note = {LNCS 2758.},
  publisher = {Springer-Verlag},
  title = {{T}heorem {P}roving in {H}igher {O}rder {L}ogics, 16th {I}nternational {C}onference ({TPHOL}s 2003)},
  year = 2003,
  user = {wolff}
}
@incollection{basin.ea:verification:2005,
  abstract = {We report on a case study in using HOL-Z, an embedding of
		  Z in higher-order logic, to specify and verify a security
		  architecture for administering digital signatures. We have
		  used HOL-Z to formalize and combine both data-oriented and
		  process-oriented architectural views. Afterwards, we
		  formalized temporal requirements in Z and carried out
		  verification in higher-order logic. The same architecture
		  has been previously verified using the SPIN model checker.
		  Based on this, we provide a detailed comparison of these
		  two di erent approaches to formalization (infinite state
		  with rich data types versus finite state) and verification
		  (theorem proving versus model checking). Contrary to common
		  belief, our case study suggests that Z is well suited for
		  temporal reasoning about process models with rich data.
		  Moreover, our comparison highlights the advantages of this
		  approach and provides evidence that, in the hands of
		  experienced users, theorem proving is neither substantially
		  more time-consuming nor more complex than model checking.},
  author = {David Basin and Hironobu Kuruma and Kazuo Takaragi and
		  Burkhart Wolff },
  booktitle = {Formal Methods 2005},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/11526841_19},
  language = {USenglish},
  pages = {269--285},
  publisher = {Springer Verlag},
  series = {LNCS 3582},
  title = {{V}erification of a {S}ignature {A}rchitecture with {HOL-Z}},
  pdf = {http://www.lri.fr/~wolff/papers/conf/Basin-Verification-FM05.pdf},
  year = 2005,
  user = {wolff}
}
@article{basin.ea:verifying:2007,
  abstract = {We report on a case study in applying different formal
		  methods to model and verify an architecture for
		  administrating digital signatures. The architecture
		  comprises several concurrently executing systems that
		  authenticate users and generate and store digital
		  signatures by passing security relevant data through a
		  tightly controlled interface. The architecture is
		  interesting from a formal-methods perspective as it
		  involves complex operations on data as well as process
		  coordination and hence is a candidate for both
		  data-oriented and process-oriented formal methods.We have
		  built and verified two models of the signature architecture
		  using two representative formal methods. In the first, we
		  specify a data model of the architecture in Z that we
		  extend to a trace model and interactively verify by theorem
		  proving. In the second, we model the architecture as a
		  system of communicating processes that we verify by
		  finite-state model checking. We provide a detailed
		  comparison of these two different approaches to
		  formalization (infinite state with rich data types versus
		  finite state) and verification (theorem proving versus
		  model checking). Contrary to common belief, our case study
		  suggests that Z is well suited for temporal reasoning about
		  process models with complex operations on data. Moreover,
		  our comparison highlights the advantages of proving
		  theorems about such models and provides evidence that, in
		  the hands of an experienced user, theorem proving may be
		  neither substantially more time-consuming nor more complex
		  than model checking.},
  author = {David Basin and Hironobu Kuruma and Kunihiko Miyazaki and
		  Kazuo Takaragi and Burkhart Wolff},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/s00165-006-0012-5},
  journal = {Formal Aspects of Computing},
  language = {USenglish},
  month = {March},
  note = {http://www.springerlink.com/content/u368650p18557674/?p=8851693f5ba14a3fb9d493dae37783b8&pi=0},
  number = 1,
  pages = {63--91},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2007/fac.submit.pdf},
  title = {Verifying a signature architecture: a comparative case study},
  volume = 19,
  year = 2007,
  user = {lukasbru}
}
@article{basin.ea:z:2007,
  abstract = {Z is a standardized and well-established formal
		  specification language originally developed in the 80ies by
		  researchers at oxford University. Although the original
		  emphasis of Z is on specification, the semantics for Z can
		  be expressed within higher-order logic (HOL). On this
		  basis, a theorem-proving environment such as Isabelle/HOL-Z
		  can be built. In this paper, we show how properties over
		  specifications can be formally proven in HOL-Z. Particular
		  emphasis is put on proving relationships between
		  specification such as refinement.},
  author = {David Basin and Hironobu Kuruma and Shin Nakajima and
		  Burkhart Wolff},
  url = {http://www.jstage.jst.go.jp/browse/jssst/24/2/_contents},
  journal = {Computer Software --- Journal of the Japanese Society for
		  Software Science and Technology},
  language = {USenglish},
  month = {April},
  note = {In Japanese. },
  number = 2,
  pages = {21--26},
  title = {{T}he {Z} {S}pecification {L}anguage and the {P}roof {E}nvironment {Isabelle/HOL-Z}},
  volume = 24,
  year = 2007,
  user = {wolff}
}
@incollection{bohme.ea:hol-boogie:2008,
  abstract = {Boogie is a program verification condition generator for
		  animperative core language. It has front-ends for the
		  programming languagesC# and C enriched by annotations in
		  first-order logic.Its verification conditions --- constructed
		  via a wp calculus from these annotations --- are usually
		  transferred to automated theorem provers such as Simplify or
		  Z3. In this paper, however, we present a
		  proof-environment,HOL-Boogie, that combines Boogie with the
		  interactivetheorem prover Isabelle/HOL. In particular, we
		  present specific techniquescombining automated and
		  interactive proof methods for code-verification.We will
		  exploit our proof-environment in two ways: First, we
		  present scenariosto \"debug\" annotations (in particular:
		  invariants) by interactiveproofs. Second, we use our
		  environment also to verify \"background theories\",i.e.
		  theories for data-types used in annotations as well as
		  memoryand machine models underlying the verification method
		  for C.},
  address = {Montreal, Canada},
  author = {Sascha B\"ohme and Rustan Leino and Burkhart Wolff},
  booktitle = {21th International Conference on Theorem proving in
		  Higher-Order Logics (TPHOLs 2008)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/978-3-540-71067-7_15},
  editor = {Sofiene Tahar and Otmane Ait Mohamed and C{\'e}sar
		  Mu{\~n}oz},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2008/boehme_tphols_2008.pdf},
  publisher = {Springer-Verlag},
  series = {LNCS 5170},
  title = {{HOL-Boogie} --- {A}n {I}nteractive {P}rover for the {B}oogie {P}rogram {V}erifier},
  year = 2008,
  user = {lukasbru}
}
@techreport{brucker.ea:checking:2001,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-checking-2001},
  author = {Achim D. Brucker and Burkhart Wolff},
  institution = {Albert-Ludwigs-Universit{\"a}t Freiburg},
  language = {USenglish},
  month = jul,
  classification = {unrefereed},
  title = {{Checking OCL Constraints in Distributed Systems Using
		  J2EE/EJB}},
  abstract = {We present a pragmatic approach using formal methods to
		  increase the quality of distributed component based
		  systems: Based on UML class diagrams annotated with OCL
		  constraints, code for runtime checking of components in
		  J2EE/EJB is automatically generated. Thus, a UML--model for
		  a component can be used in a black--box test for the
		  component. Further we introduce different design patterns
		  for EJBs, which are motivated by different levels of
		  abstraction, and show that these patterns work smoothly
		  together with our OCL constraint checking.
		  
		  A prototypic implementation of the code generator,
		  supporting our design patterns with OCL support, has been
		  integrated into a commercial software development tool.},
  keywords = {OCL, Constraint checking, EJB, J2EE, Design by Contract,
		  Design Pattern, Distributed Systems},
  year = 2001,
  number = 157,
  num_pages = 46,
  contributions = {Using OCL Constrains in a EJB environment and Design
		  Patterns for EJBs.},
  pdf = {http://www.brucker.ch/bibliography/download/2001/tr01.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2001/tr01.ps.gz}
}
@incollection{brucker.ea:cvs-server:2002,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-cvs-server-2002},
  author = {Achim D. Brucker and Frank Rittinger and Burkhart Wolff},
  title = {The {CVS}-Server Case Study: A Formalized Security
		  Architecture},
  editor = {Dominik Haneberg and Gerhard Schellhorn and Wolfgang
		  Reif},
  booktitle = {FM-TOOLS 2002},
  classification = {conference},
  year = 2002,
  series = {Technical Report},
  number = {2002--11},
  pages = {47--52},
  month = jul,
  organization = {University Augsburg},
  address = {Augsburg},
  pdf = {http://www.brucker.ch/bibliography/download/2002/fmtools_cvs_02.pdf},
  language = {USenglish},
  abstract = {CVS is a widely known version management system.
		  Configured in server mode, it can be used for the
		  distributed development of software as well as its
		  distribution from a central database called the
		  \emph{repository}. In this setting, a number of security
		  mechanisms have to be integrated into the CVS-server
		  architecture.
		  
		  We present an abstract formal model of the access control
		  aspects of a CVS-server architecture enforcing a role-based
		  access control on the data in the repository. This abstract
		  architecture is refined to an implementation architecture,
		  which represents (an abstraction of) a concrete CVS-server
		  configuration running in a POSIX/UNIX environment.
		  
		  Both the abstract as well as the concrete architecture are
		  specified in the language Z. The specification is compiled
		  to HOL-Z, such that refinement proofs for this case study
		  can be done in Isabelle/HOL. },
  project = {FSA}
}
@techreport{brucker.ea:cvs-server:2002-b,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-cvs-server-2002-b},
  author = {Achim D. Brucker and Frank Rittinger and Burkhart Wolff},
  institution = {Albert-Ludwigs-Universit{\"a}t Freiburg},
  language = {USenglish},
  number = 182,
  title = {A {CVS-Server} Security Architecture --- Concepts and
		  Formal Analysis},
  abstract = {We present a secure architecture of a CVS-server, its
		  implementation (i.e. mainly its configuration) and its
		  formal analysis. Our CVS-server is uses cvsauth, that
		  provides protection of passwords and protection of some
		  internal data of the CVS repository. In contrast to other
		  (security oriented) CVS-architectures, our approach allows
		  the CVS-server run on an open filesystem, i.e. a filesystem
		  where users can have direct access both by CVS-commands and
		  by standard UNIX/POSIX commands such as \unixcmd{mv}.
		  
		  For our secure architecture of the CVS-server, we provide a
		  formal specification and security analysys. The latter is
		  based on a refinement mapping high-level security
		  requirements on the architecture on low-level security
		  mechanisms on the UNIX/POSIX filesystem level.
		  
		  The purpose of the formal analysis of the secure CVS-server
		  architecture is twofold: First, it is the bases for the
		  specification of mutual security properties such as
		  non-repudiation, authentication and access control for this
		  architecture. Second, the mapping of the architecture on
		  standard security implementation technology is described.
		  
		  Thus, our approach can be seen as a method to give a formal
		  underpinning for the usually tricky business of system
		  administrators.},
  keywords = {security architecture, Concurrent Versions System (CVS),
		  Z, formal methods, refinement},
  year = 2002,
  classification = {unrefereed},
  num_pages = 100,
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2002/cvs_arch.pdf},
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2002/cvs_arch.ps.gz}
}
@article{brucker.ea:extensible:2008,
  abstract = {We present an extensible encoding of object-oriented data
		  models into higher-order logic (HOL). Our encoding is
		  supported by a datatype package that leverages the use of
		  the shallow embedding technique to object-oriented
		  specification and programming languages. The package
		  incrementally compiles an object-oriented data model, i.e.,
		  a class model, to a theory containing object-universes,
		  constructors, accessor functions, coercions (casts) between
		  dynamic and static types, characteristic sets, and
		  co-inductive class invariants. The package is conservative,
		  i. e., all properties are derived entirely from constant
		  definitions, including the constraints over object
		  structures. As an application, we use the package for an
		  object-oriented core-language called IMP++, for which we
		  formally prove the correctness of a Hoare logic with
		  respect to a denotational semantics.},
  author = {Achim D. Brucker and Burkhart Wolff},
  journal = {Journal of Automated Reasoning (JAR)},
  classification = {journal},
  language = {USenglish},
  note = {Serge Autexier, Heiko Mantel, Stephan Merz, and Tobias Nipkow (eds)},
  pdf = {https://www.lri.fr/~wolff/papers/journals/brucker.ea-extensible-2008-b},
  title = {{A}n {E}xtensible {E}ncoding of {O}bject-oriented {D}ata {M}odels in {HOL} with an {A}pplication to {IMP++}},
  volume = {Selected Papers of the AVOCS-VERIFY Workshop 2006},
  doi = {10.1007/s10817-008-9108-3},
  pages = {219-249},
  volume = 41,
  number = {3--4},
  year = 2008
}
@incollection{brucker.ea:extensible:2008-b,
  abstract = {We present a datatype package that enables the shallow
		  embedding technique to object-oriented specification and
		  programming languages. This datatype package incrementally
		  compiles an object-oriented data model to a theory
		  containing object-universes, constructors, accessors
		  functions, coercions between dynamic and static types,
		  characteristic sets, their relations reflecting
		  inheritance, and the necessary class invariants. The
		  package is conservative, i.e., all properties are derived
		  entirely from axiomatic definitions. As an application, we
		  use the package for an object-oriented core-language called
		  imp++, for which correctness of a Hoare-Logic with respect
		  to an operational semantics is proven. },
  address = {Paphos, Cyprus},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Proceedings of the European Conference of Object-Oriented
		  Programming (ECOOP 2008)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/978-3-540-70592-5_19},
  editor = {Jan Vitek},
  isbn = {0302-9743},
  language = {USenglish},
  classification = {conference},
  month = {July},
  pages = {438--462},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2008/brucker.ea-datatype-2008.pdf},
  publisher = {Springer-Verlag},
  series = {LNCS 5142},
  title = {Extensible Universes for Object-Oriented Data Models },
  url = {http://www.springerlink.com/content/416483625116hw37/?p=b2e4cfb4996441a9b171c4594f015499&pi=18},
  year = 2008,
  user = {lukasbru}
}
@inproceedings{brucker.ea:formal:2008,
  title = {{A} {F}ormal {P}roof {E}nvironment for {UML/OCL}},
  abstract = {We present the theorem proving environment HOL-OCL that is
		  integrated in a MDE framework. HOL-OCL allows to reason
		  over UML class models annotated with OCL
		  specifications. Thus, HOL-OCL strengthens a crucial part of
		  the UML to an object-oriented formal method. \holocl
		  provides several derived proof calculi that allow for
		  formal derivations establishing the validity of UML/OCL
		  formulae. These formulae arise naturally when checking the
		  consistency of class models, when formally refining
		  abstract models to more concrete ones or when discharging
		  side-conditions from model-transformations.},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Proceedings of Formal Aspects of Software Engineering
		  (FASE 2008)},
  isbn = {0302-9743},
  language = {USenglish},
  classification = {conference},
  pages = {97--101},
  doi = {10.1007/978-3-540-78743-3_8},
  pdf = {http://kisogawa.inf.ethz.ch/WebBIB/publications/papers/2008/2008-fase-hol-ocl.pdf},
  publisher = {Springer Berlin / Heidelberg},
  series = {Lecture Notes in Computer Science},
  volume = 4961,
  year = 2008
}
@techreport{brucker.ea:hol-ocl-book:2006,
  author = {Achim D. Brucker and Burkhart Wolff},
  institution = {ETH Z{\"u}rich},
  language = {USenglish},
  title = {The {HOL-OCL} {B}ook},
  classification = {unrefereed},
  categories = {holocl},
  year = 2006,
  number = 525,
  pdf = {http://www.brucker.ch/bibliography/download/2006/brucker.ea-hol-ocl-book-2006.pdf},
  abstract = {HOL-OCL is an interactive proof environment for the Object
		  Constraint Language (OCL). It is implemented as a shallow
		  embedding of OCL into the Higher-order Logic (HOL) instance
		  of the interactive theorem prover Isabelle. HOL-OCL defines
		  a machine-checked formalization of the semantics as
		  described in the standard for OCL 2.0. This conservative,
		  shallow embedding of UML/OCL into Isabelle/HOL includes
		  support for typed, extensible UML data models supporting
		  inheritance and subtyping inside the typed lambda-calculus
		  with parametric polymorphism. As a consequence of
		  conservativity with respect to higher-order logic (HOL), we
		  can guarantee the consistency of the semantic model.
		  Moreover, HOL-OCL provides several derived calculi for
		  UML/OCL that allow for formal derivations establishing the
		  validity of UML/OCL formulae. Elementary automated support
		  for such proofs is also provided top },
  bibkey = {brucker.ea:hol-ocl-book:2006},
  keywords = {security, SecureUML, UML, OCL, HOL-OCL,
		  model-transformation}
}
@incollection{brucker.ea:hol-ocl:2002,
  title = {{HOL-OCL}: Experiences, Consequences and Design Choices},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-hol-ocl-2002},
  abstract = {Based on experiences gained from an embedding of the
		  Object Constraint Language (OCL) in higher-order
		  logic~\cite{brucker.ea:proposal:2002}, we explore several
		  key issues of the design of a formal semantics of the OCL.
		  These issues comprise the question of the interpretation of
		  invariants, pre- and postconditions, their transformation,
		  an executable sub-language and the possibilities of
		  refinement notions. A particular emphasize is put on the
		  issue of mechanized deduction in UML/OCL specification. },
  keywords = {OCL, Formal semantics, Constraint languages, Refinement,
		  higher-order logic},
  paddress = {Heidelberg},
  address = {Dresden},
  author = {Achim D. Brucker and Burkhart Wolff},
  classification = {conference},
  booktitle = {UML 2002: Model Engineering, Concepts and Tools},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/3-540-45800-X_17},
  language = {USenglish},
  publisher = {Springer-Verlag},
  series = {Lecture Notes in Computer Science},
  number = 2460,
  editor = {Jean-Marc J{\'e}z{\'e}quel and Heinrich Hussmann and
		  Stephen Cook},
  pdf = {http://www.brucker.ch/bibliography/download/2002/holocl_experiences.pdf},
  project = {CSFMDOS},
  year = 2002
}
@techreport{brucker.ea:hol-testgen:2005,
  author = {Achim D. Brucker and Burkhart Wolff},
  institution = {Computer Security Group, ETH Z\"urich},
  language = {USenglish},
  month = {apr},
  number = 482,
  title = {{HOL-TestGen} 1.0.0 User Guide},
  classification = {unrefereed},
  year = 2005,
  user = {wolff}
}
@incollection{brucker.ea:hol-z:2002,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-hol-z-2002},
  author = {Achim D. Brucker and Stefan Friedrich and Frank Rittinger
		  and Burkhart Wolff},
  title = {{HOL}-{Z} 2.0: A Proof Environment for Z-Specifications},
  editor = {Dominik Haneberg and Gerhard Schellhorn and Wolfgang
		  Reif},
  booktitle = {FMTOOLS 2002},
  classification = {conference},
  year = 2002,
  series = {Technical Report},
  pages = {33--38},
  month = jul,
  number = {2002--11},
  organization = {University Augsburg},
  address = {Augsburg},
  pdf = {http://www.brucker.ch/bibliography/download/2002/fmtools_holz_02.pdf},
  language = {USenglish},
  abstract = {We present a proof environment for the specification
		  language Z on top of Isabelle/HOL. It comprises a
		  \LaTeX-based front end (including the integrated
		  type-checker ZETA), generic facilities to generate proof
		  obligations and improved proof support for the logical
		  embedding HOL-Z, namely for the schema-calculus and
		  structural Z proofs. },
  project = {FSA}
}
@incollection{brucker.ea:interactive:2005,
  abstract = {HOL-TestGen is a test environment for specification-based
		  unit testing build upon the proof assistant Isabelle/HOL\@.
		  While there is considerable skepticism with regard to
		  interactive theorem provers in testing communities, we
		  argue that they are a natural choice for (automated)
		  symbolic computations underlying systematic tests. This
		  holds in particular for the development on non-trivial
		  formal test plans of complex software, where some parts of
		  the overall activity require inherently guidance by a test
		  engineer. In this paper, we present the underlying methods
		  for both black box and white box testing in interactive
		  unit test scenarios. HOL-TestGen can also be understood as
		  a unifying technical and conceptual framework for
		  presenting and investigating the variety of unit test
		  techniques in a logically consistent way. },
  address = {Edinburgh},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Formal Approaches to Testing of Software (FATES 05)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/11759744_7},
  editor = {Wolfgang Grieskamp and Carsten Weise},
  isbn = {3-540-25109-X},
  language = {USenglish},
  pages = {87--102},
  publisher = {Springer-Verlag},
  series = {LNCS 3997},
  title = {{I}nteractive {T}esting using {HOL-TestGen}},
  year = 2005,
  classification = {workshop},
  user = {wolff}
}
@inproceedings{brucker.ea:mda:2006,
  abstract = {We present an MDA framework, developed in the functional
		  programming language SML, that tries to bridge the gap
		  between formal software development and the needs of
		  industrial software development, e.g., code generation.
		  Overall, our tool-chain provides support for software
		  modeling using UML/OCL and guides the user from
		  type-checking and model transformations to code generation
		  and formal analysis of the UML/OCL model. We conclude with
		  a report on our experiences in using a functional language
		  for implementing MDA tools. },
  author = {Achim D. Brucker and J\"urgen Doser and Burkhart Wolff},
  booktitle = {6th OCL Workshop at the UML/MoDELS Conference},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2006/OclApps-framework.pdf},
  title = {An {MDA} Framework Supporting{ OCL}},
  classification = {workshop},
  year = 2006,
  user = {wolff}
}
@article{brucker.ea:mda:2007,
  abstract = {We present a model-driven architecture (MDA) framework
		  that integrates formal analysis techniques into an
		  industrial software development process model. This
		  comprises modeling using UML/OCL, processing models by
		  model transformations, code generation (including
		  runtime-test environments) and formal analysis using the
		  theorem proving environment HOL-OCL. Moreover, our
		  frameworks supports the verification of proof obligations
		  that are generated during model transformations.We show the
		  extensibility of our approach by providing a SecureUML
		  extension of the framework, which allows for an integrated
		  specification of security properties, their analysis and
		  their conversion to code.},
  author = {Achim D. Brucker and J\"urgen Doser and Burkhart Wolff},
  journal = {Electronic Communications of the EASST},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2007/easst-framework.pdf},
  title = {An {MDA} Framework Supporting {OCL}},
  url = {http://eceasst.cs.tu-berlin.de/index.php/eceasst/issue/view/12},
  volume = 5,
  year = 2007,
  classification = {workshop},
  user = {doserj}
}
@incollection{brucker.ea:model-based:2008,
  abstract = {Firewalls are a cornerstone of todays security
		  infrastructure for networks. Their configuration,
		  implementing a firewall policy, is inherently complex, hard
		  to understand, and difficult to validate. We present a
		  substantial case study performed with the model-based
		  testing tool HOL-TestGen. Based on a formal model of
		  firewalls and their policies in HOL, we first present a
		  derived theory for simplifying policies. We discuss
		  different test plans for test specifications. Finally, we
		  show how to integrate these issues to a domain-specific
		  firewall testing tool HOL-TestGen/FW.},
  address = {Tokyo, Japan},
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
  booktitle = {Testcom/FATES 2008},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/978-3-540-68524-1_9},
  editor = {Kenji Suzuki and Teruo Higashino},
  isbn = {0302-9743 (Print) 1611-3349 (Online)},
  language = {USenglish},
  pages = {103--118},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2008/2008-testcom-fw-test.pdf},
  publisher = {Springer-Verlag},
  series = {LNCS 5047},
  title = {Model-based Firewall Conformance Testing},
  url = {http://www.springerlink.com/content/5v5167t1216vlw7v/},
  year = 2008,
  classification = {conference},
  user = {lukasbru}
}
@incollection{brucker.ea:model:2006,
  abstract = { SecureUML is a security modeling language for formalizing
		  access control requirements in a declarative way. It is
		  equipped with a \UML notation in terms of a \UML profile,
		  and can be combined with arbitrary design modeling
		  languages. We present a semantics for SecureUML in terms of
		  a model transformation to standard \acs{uml}/\acs{ocl}. The
		  transformation scheme is used as part of an implementation
		  of a tool chain ranging from front-end visual modeling
		  tools over code-generators to the interactive theorem
		  proving environment \holocl. The methodological
		  consequences for an analysis of the generated \OCL formulae
		  are discussed.},
  address = {Genova},
  author = {Achim D. Brucker and J{\"u}rgen Doser and Burkhart Wolff},
  booktitle = {{MoDELS} 2006: Model Driven Engineering Languages and
		  Systems},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/11880240_22},
  editor = {Oscar Nierstrasz and Jon Whittle and David Harel and
		  Gianna Reggio},
  filelabel = {Extended Version},
  language = {USenglish},
  note = {An extended version of this paper is available as ETH
		  Technical Report, no. 524.},
  pages = {306--320},
  publisher = {Springer-Verlag},
  series = {LNCS 4199},
  title = {A Model Transformation Semantics and Analysis Methodology
		  for {SecureUML}},
  year = 2006,
  pdf = {http://www.lri.fr/~wolff/papers/conf/brucker-2.ea-transformation-2006.pdf},
  user = {wolff},
  classification = {conference}
}
@incollection{brucker.ea:package:2006,
  author = {Achim D. Brucker and Burkhart Wolff},
  title = {A Package for Extensible Object-Oriented Data Models with
		  an Application to IMP++},
  editor = {Abhik Roychoudhury and Zijiang Yang},
  booktitle = {International Workshop on Software Verification and
		  Validation (SVV 2006)},
  year = 2006,
  series = {Computing Research Repository (CoRR)},
  month = aug,
  address = {Seattle, USA},
  language = {USenglish},
  abstract = {We present a datatype package that enables the use of
		  shallow embedding technique to object-oriented
		  specification and programming languages. The package
		  incrementally compiles an object-oriented data model to a
		  theory containing object-universes, constructors, and
		  accessor functions, coercions between dynamic and static
		  types, characteristic sets, their relations reflecting
		  inheritance, and the necessary class invariants. The
		  package is conservative, i.e., all properties are derived
		  entirely from axiomatic definitions. As an application, we
		  use the package for an object-oriented core-language called
		  \IMPOO, for which correctness of a Hoare logic with respect
		  to an operational semantics is proven.},
  categories = {holocl},
  ps = {http://www.brucker.ch/bibliography/download/2006/brucker.ea-package-2006.ps.gz},
  pdf = {http://www.brucker.ch/bibliography/download/2006/brucker.ea-package-2006.pdf},
  classification = {workshop},
  keywords = {datatype package, extensible object-oriented data model,
		  object-oriented specification,shallow embedding}
}
@incollection{brucker.ea:proposal:2002,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-proposal-2002},
  abstract = {We present a formal semantics as a conservative shallow
		  embedding of the Object Constraint Language (OCL). OCL is
		  currently under development within an open standardization
		  process within the OMG; our work is an attempt to accompany
		  this process by a proposal solving open questions in a
		  consistent way and exploring alternatives of the language
		  design. Moreover, our encoding gives the foundation for
		  tool supported reasoning over OCL specifications, for
		  example as basis for test case generation.},
  keywords = {Isabelle, OCL, UML, shallow embedding, testing},
  paddress = {Heidelberg},
  address = {Hampton, VA, USA},
  author = {Achim D. Brucker and Burkhart Wolff},
  classification = {conference},
  booktitle = {Theorem Proving in Higher Order Logics},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/3-540-45685-6_8},
  editor = {C{\'e}sar Mu{\~n}oz and Sophi{\`e}ne Tahar and V{\'\i}ctor
		  Carre{\~n}o},
  language = {USenglish},
  pdf = {http://www.brucker.ch/bibliography/download/2002/ocl_semantic.pdf},
  filelabel = {extended},
  file = {http://www.brucker.ch/bibliography/download/2002/ocl_semantic_extended.pdf},
  publisher = {Springer-Verlag},
  series = {Lecture Notes in Computer Science},
  number = 2410,
  pages = {99--114},
  project = {CSFMDOS},
  title = {A Proposal for a Formal {OCL} Semantics in
		  {Isabelle/HOL}},
  year = 2002
}
@inproceedings{brucker.ea:semantic:2006,
  abstract = {We report on the results of a long-term project to
		  formalize the semantics of OCL 2.0 in Higher-order Logic
		  (HOL). The ultimate goal of the project is to provide a
		  formalized, machine-checked semantic basis for a theorem
		  proving environment for OCL (as an example for an
		  object-oriented specification formalism) which is as
		  faithful as possible to the original informal semantics. We
		  report on various (minor) inconsistencies of the OCL
		  semantics, discuss the more recent attempt to align the OCL
		  semantics with UML 2.0 and suggest several extensions which
		  make, in our view, OCL semantics more fit for future
		  extensions towards programming-like verifications and
		  specification refinement, which are, in our view, necessary
		  to make OCL more fit for future extensions. },
  author = {Achim D. Brucker and J\"urgen Doser and Burkhart Wolff},
  booktitle = {6th OCL Workshop at the UML/MoDELS Conference},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2006/OclApps-glitches.pdf},
  title = {Semantic Issues of {OCL}: Past, Present, and Future},
  year = 2006,
  url = {http://eceasst.cs.tu-berlin.de/index.php/eceasst/issue/view/12},
  classification = {conference},
  user = {wolff}
}
@article{brucker.ea:semantic:2007,
  abstract = {We report on the results of a long-term project to
		  formalize the semantics of OCL 2.0 in Higher-order Logic
		  (HOL). The ultimate goal of the project is to provide a
		  formalized, machine-checked semantic basis for a theorem
		  proving environment for OCL (as an example for an
		  object-oriented specification formalism) which is as
		  faithful as possible to the original informal semantics. We
		  report on various (minor) inconsistencies of the OCL
		  semantics, discuss the more recent attempt to align the OCL
		  semantics with UML 2.0 and suggest several extensions which
		  make, in our view, OCL semantics more fit for future
		  extensions towards program verifications and specification
		  refinement.},
  author = {Achim D. Brucker and J\"urgen Doser and Burkhart Wolff},
  journal = {Electronic Communications of the EASST},
  language = {USenglish},
  url = {http://eceasst.cs.tu-berlin.de/index.php/eceasst/issue/view/12},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2007/easst-glitches.pdf},
  title = {Semantic Issues of {OCL}: Past, Present, and Future},
  volume = 5,
  year = 2007,
  classification = {ejournal},
  user = {doserj}
}
@techreport{brucker.ea:symbolic:2004,
  abstract = {We present a method for the automatic generation of test
		  cases for HOL formulae containing primitive recursive
		  predicates. These test cases may be used for the animation
		  of specifications as well as for black-box-testing of
		  external programs.\\\\Our method is two-staged: first, the
		  original formula is partitioned into test cases by
		  transformation into a Horn-clause normal form (CNF).
		  Second, the test cases are analyzed for ground instances
		  satisfying the premises of the clauses. Particular emphasis
		  is put on the control of test hypothesis' and test
		  hierarchies to avoid intractability.\\\\We applied our
		  method to several examples, including AVL-trees and the
		  red-black implementation in the standard library from SML/NJ.},
  author = {Achim D. Brucker and Burkhart Wolff},
  institution = {Computer Security Group, ETH Z\"urich},
  language = {USenglish},
  month = {jun},
  number = 449,
  title = {Symbolic Test Case Generation for Primitive Recursive
		  Functions},
  year = 2004,
  classification = {unrefereed},
  user = {wolff}
}
@incollection{brucker.ea:symbolic:2005,
  abstract = {We present a method for the automatic generation of test
		  cases for HOL formulae containing primitive recursive
		  predicates. These test cases can be used for the animation
		  of specifications as well as for black-box testing of
		  external programs. Our method is two-staged: first, the
		  original formula is partitioned into test cases by
		  transformation into a Horn-clause normal form (HCNF).
		  Second, the test cases are analyzed for instances with
		  constant terms satisfying the premises of the clauses.
		  Particular emphasis is put on the control of test
		  hypotheses and test hierarchies to avoid intractability. We
		  applied our method to several examples, including AVL-trees
		  and the red-black tree implementation in the standard
		  library from SML/NJ. },
  address = {Linz 04},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Formal Approaches to Testing of Software (FATES 04)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/b106767},
  editor = {Jens Grabowski and Brian Nielsen},
  isbn = {3-540-25109-X},
  language = {USenglish},
  pages = {16--32},
  publisher = {Springer-Verlag},
  series = {LNCS 3395},
  title = {Symbolic Test Case Generation for Primitive Recursive
		  Functions},
  url = {http://springerlink.metapress.com/content/yqv0ajk1wb0ctllt/?p=4f2d15532c2c45e6a0673b2465e27f5e&pi=1},
  year = 2005,
  classification = {workshop},
  user = {wolff}
}
@incollection{brucker.ea:test-sequence:2007,
  abstract = {HOL-TestGen is a specification and test-case generation
		  environment extending the interactive theorem prover
		  Isabelle/HOL. Its method is two-staged: first, the original
		  formula is partitioned into test cases by transformation
		  into a normal form. Second, the test cases are analyzed for
		  ground instances (the test data) satisfying the constraints
		  of the test cases. Particular emphasis is put on the
		  control of explicit test hypotheses which can be proven
		  over concrete programs.
		  
		  Although originally designed for black-box unit-tests,
		  HOL-TestGen's underlying logic and deduction engine is
		  powerful enough to be used in test-sequence generation, too.
		  
		  We develop the theory for test-sequence generation with
		  HOL-TestGen and describe its use in a substantial
		  case-study in the field of computer security, namely the
		  black-box test of configured firewalls. },
  keywords = {security, model-based testing, specification-based
		  testing, firewall testing},
  paddress = {Heidelberg},
  address = {Zurich},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {{TAP} 2007: Tests And Proofs},
  copyright = {\copyright Springer-Verlag},
  copyrighturl = {http://link.springer-ny.com/link/service/series/0558/},
  language = {USenglish},
  publisher = {Springer-Verlag},
  series = {Lecture Notes in Computer Science},
  number = 4454,
  editor = {Bertrand Meyer and Yuri Gurevich},
  project = {CSFMDOS},
  title = {Test-Sequence Generation with HOL-TestGen -- With an
		  Application to Firewall Testing },
  categories = {holtestgen},
  classification = {conference},
  year = 2007,
  doi = {10.1007/978-3-540-73770-4_9},
  pages = {149--168},
  isbn = {978-3-540-73769-8},
  classification = {conference},
  pdf = {http://www.brucker.ch/bibliography/download/2007/brucker.ea-test-sequence-2007.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2007/brucker.ea-test-sequence-2007.ps.gz},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-test-sequence-2007}
}
@inproceedings{brucker.ea:testing:2001,
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-testing-2001},
  author = {Achim D. Brucker and Burkhart Wolff},
  classification = {proceedings},
  title = {Testing Distributed Component Based Systems Using
		  {UML/OCL}},
  language = {USenglish},
  booktitle = {Informatik 2001},
  pages = {608--614},
  year = 2001,
  editor = {K. Bauknecht and W. Brauer and Th. M{\"u}ck},
  volume = 1,
  number = 157,
  series = {Tagungsband der GI/{\"O}CG Jahrestagung},
  address = {Wien},
  month = nov,
  organization = {{\"O}sterreichische Computer Gesellschaft},
  abstract = {We present a pragmatic approach using formal methods to
		  increase the quality of distributed component based
		  systems: Based on UML class diagrams annotated with OCL
		  constraints, code for runtime checking of components in
		  J2EE/EJB is automatically generated. Thus, a UML--model for
		  a component can be used in a black--box test for the
		  component. Further we introduce different design patterns
		  for EJBs, which are motivated by different levels of
		  abstraction, and show that these patterns work smoothly
		  together with our OCL constraint checking.
		  
		  A prototypic implementation of the code generator,
		  supporting our patterns with OCL support, has been
		  integrated into a commercial software development tool.},
  isbn = {3-85403-157-2},
  pdf = {http://www.brucker.ch/bibliography/download/2001/info2001.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2001/info2001.ps.gz}
}
@incollection{brucker.ea:using:2003,
  abstract = { Tools for a specification language can be implemented
		  \emph{directly} (by building a special purpose theorem
		  prover) or \emph{by a conservative embedding} into a typed
		  meta-logic, which allows their safe and logically
		  consistent implementation and the reuse of existing theorem
		  prover engines. For being useful, the conservative
		  extension approach must provide derivations for several
		  thousand ``folklore'' theorems.\\\\In this paper, we
		  present an approach for deriving the mass of these theorems
		  mechanically from an existing library of the meta-logic.
		  The approach presupposes a structured \emph{theory
		  morphism} mapping library datatypes and library functions
		  to new functions of the specification language while
		  uniformly modifying some semantic properties; for example,
		  new functions may have a different treatment of
		  undefinedness compared to old ones.},
  address = {Nijmegen},
  author = {Achim D. Brucker and Burkhart Wolff},
  booktitle = {Types 2002, Proceedings of the workshop Types for Proof
		  and Programs},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/3-540-45685-6_8},
  editor = {Herman Geuvers and Freek Wiedijk},
  isbn = {3-540-14031-X},
  language = {USenglish},
  publisher = {Springer-Verlag},
  series = {LNCS 2646},
  title = {Using Theory Morphisms for Implementing Formal Methods Tools},
  year = 2003,
  classification = {workshop},
  user = {wolff}
}
@article{brucker.ea:verification:2005,
  abstract = {We present a method for the security analysis of realistic
		  models over off-the-shelf systems and their configuration
		  by formal, machine-checked proofs. The presentation follows
		  a large case study based on a formal security analysis of a
		  CVS-Server architecture.\\\\The analysis is based on an
		  abstract architecture (enforcing a role-based access
		  control), which is refined to an implementation
		  architecture (based on the usual discretionary access
		  control provided by the \posix{} environment). Both
		  architectures serve as a skeleton to formulate access
		  control and confidentiality properties.\\\\Both the
		  abstract and the implementation architecture are specified
		  in the language Z. Based on a logical embedding of Z into
		  Isabelle/HOL, we provide formal, machine-checked proofs for
		  consistency properties of the specification, for the
		  correctness of the refinement, and for security properties.},
  author = {Achim D. Brucker and Burkhart Wolff},
  copyright = {\copyright Springer-Verlag},
  issn = {1433-2779},
  journal = {International Journal on Software Tools for Technology
		  Transfer (STTT)},
  language = {USenglish},
  number = 3,
  doi = {10.1007/s10009-004-0176-3},
  pages = {233--247},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2005/sttt_03.pdf},
  title = {A Verification Approach for Applied System Security},
  volume = 7,
  year = 2005,
  classification = {journal},
  user = {wolff}
}
@inproceedings{brucker.ea:verifying:2008,
  abstract = {HOL-TestGen is a specification and test case generation
		  environment extending the interactive theorem prover
		  Isabelle/HOL. The HOL-TestGen method is two-staged: first,
		  the original formula, called test specification, is
		  partitioned into test cases by transformation into a normal
		  form called test theorem. Second, the test cases are
		  analyzed for ground instances (the test data) satisfying
		  the constraints of the test cases. Particular emphasis is
		  put on the control of explicit test hypotheses which can be
		  proven over concrete programs. As such, explicit test
		  hypotheses establish a logical link between validation by
		  test and by proof. Since HOL-TestGen generates explicit
		  test hypotheses and makes them amenable to formal proof,
		  the system is in a unique position to explore the relations
		  between them at an example.},
  address = {Budapest, Hungary },
  author = {Achim D. Brucker and Lukas Br\"ugger and Burkhart Wolff},
  booktitle = {Model-based Testing (MBT) 2008 },
  editor = {Bernd Finkbeiner and Yuri Gurevich and Alexander K.
		  Petrenko},
  language = {USenglish},
  pages = {15-28},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2008/brucker.ea-testhyps-2008.pdf},
  publisher = {Elsevier Science Publishers },
  series = {Electronic Notes in Theoretical Computer Science},
  title = {Verifying Test-Hypotheses -- An Experiment in Test and
		  Proof},
  year = 2008,
  doi = {10.1016/j.entcs.2008.11.003},
  volume = 202,
  classification = {workshop},
  user = {lukasbru}
}
@article{brucker.rittinger.ea:hol-z,
  abstract = { We present a new proof environment for the specification
		  language Z. The basis is a semantic representation of Z in
		  a structure-preserving, shallow embedding in Isabelle/HOL.
		  On top of the embedding, new proof support for the Z schema
		  calculus and for proof structuring are developed. Thus, we
		  integrate Z into a well-known and trusted theorem prover
		  with advanced deduction technology such as higher-order
		  rewriting, tableaux-based provers and arithmetic decision
		  procedures. A further achievement of this work is the
		  integration of our embedding into a new tool-chain
		  providing a Z-oriented type checker, documentation
		  facilities and macro support for refinement proofs; as a
		  result, the gap has been closed between a logical embedding
		  proven correct and a \emph{tool} suited for applications of
		  non-trivial size.},
  author = {Achim D. Brucker and Frank Rittinger and Burkhart Wolff},
  journal = {Journal of Universal Computer Science},
  classification = {journal},
  language = {USenglish},
  title = {{HOL-Z} 2.0: {A} {P}roof {E}nvironment for {Z}-{S}pecifications},
  volume = 9,
  year = 2003,
  number = 2,
  pages = {152--172},
  month = feb,
  issn = {0948-6968},
  ps = {http://www.brucker.ch/bibliography/download/2003/jucs_holz_02.ps.gz},
  pdf = {http://www.brucker.ch/bibliography/download/2003/jucs_holz_02.pdf},
  copyright = {\copyright J.UCS},
  doi = {10.3217/jucs-009-02-0152},
  copyrighturl = {http://www.jucs.org/jucs_9_2/hol_z_2}
}
@inproceedings{brucker.wolff:case,
  author = {Achim D. Brucker and Burkhart Wolff},
  title = {A Case Study of a Formalized Security Architecture},
  booktitle = {Eighth International Workshop onFormal Methods for
		  Industrial Critical Systems (FMICS'03)},
  volume = 80,
  classification = {workshop},
  editor = {Thomas Arts and Wan Fokkink},
  publisher = {Elsevier Science Publishers},
  year = 2003,
  language = {USenglish},
  abstract = {CVS is a widely known version management system, which can
		  be used for the distributed development of software as well
		  as its distribution from a central database.
		  
		  In this paper, we provide an outline of a formal security
		  analysis of a CVS-Server architecture performed
		  in~\cite{brucker.ea:cvs-server:2002}. The analysis is based
		  on an abstract architecture (enforcing a role-based access
		  control on the repository), which is refined to an
		  implementation architecture (based on the usual
		  discretionary access control provided by the \posix{}
		  environment). Both architectures serve as framework to
		  formulate access control and confidentiality properties.
		  
		  Both the abstract as well as the concrete architecture are
		  specified in the language Z. Based on a logical embedding
		  of Z into Isabelle/HOL, we provide formal, machine-checked
		  proofs for consistency properties of the specification, for
		  the correctness of the refinement, and for some security
		  properties.
		  
		  Thus, we present a case study for the security analysis of
		  realistic models over an off-the-shelf system by formal
		  machine-checked proofs. },
  pdf = {http://www.brucker.ch/bibliography/download/2003/fmics_03.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2003/fmics_03.ps.gz}
}
@incollection{daum.ea:verification:2008,
  abstract = {Though the verification of operating systems is an active
		  research field, a verification method is still missing that
		  provides both, the proximity to practically used
		  programming languages such as C and a realistic model of
		  concurrency, i.e. a model that copes with the granularity
		  of atomic operations actually used in a target machine.Our
		  approach serves as the foundation for the verification of
		  concurrent programs in C0 --- a C fragment enriched by kernel
		  communication primitives --- in a Hoare-Logic. C0 is compiled
		  by a verified compiler into assembly code representing a
		  cooperative concurrent transition system. For the latter,
		  it is shown that it can actually be executed in a true
		  concurrent way reflecting the C0 semantics.},
  author = {Matthias Daum and Jan D\"orrenb\"acher and Mareike Schmidt
		  and Burkhart Wolff},
  booktitle = {Verified Software: Theories, Tools, Experiments},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/978-3-540-87873-5_15},
  language = {USenglish},
  month = {September},
  pages = {161--176},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2008/1_libvamos.pdf},
  publisher = {Springer Berlin / Heidelberg},
  series = {LNCS 5295},
  title = {A Verification Approach for System-Level Concurrent Programs },
  year = 2008,
  classification = {conference},
  user = {lukasbru}
}
@proceedings{garca.ea:proceedings:2006,
  abstract = {This book constitutes the refereed proceedings of the
		  International Workshop on Formal Aspects of Testing and
		  Runtime Verification, FATES/RV 2006, held in Seattle, USA
		  in August 2006 in conjuction with FLoC.The 14 revised full
		  papers presented together with twoinvited papers were
		  carefully reviewed and selected from 34 submissions. },
  address = {Seattle, USA},
  copyright = {\ Springer-Verlag},
  editor = {Manuel N{\'u}{\~n}ez Garc{\'\i}a and Klaus Havelund and
		   Grigore Rosu and Burkhart Wolff},
  copyrighturl = {http://dx.doi.org/10.1007/11940197},
  doi = {10.1007/11940197},
  language = {USenglish},
  note = {LNCS 4262.},
  publisher = {Springer Verlag},
  title = {Proceedings of the International Workshop on Formal
		  Aspects of Testing and Runtime Verification (FATES/RV)},
  year = 2006,
  classification = {workshop},
  user = {wolff}
}
@inproceedings{klmw96a,
  author = {Kolyang and C. L{\"u}th and T. Meier and B. Wolff},
  booktitle = {Proceedings of the User Interfaces for Theorem Provers
		  (UITP 96)},
  editor = {N. Merriam},
  publisher = {University of York},
  series = {Technical Report},
  title = {Generating Graphical User-Interfaces in a Functional
		  Setting},
  year = 1996,
  ps = {http://www.informatik.uni-bremen.de/~bu/papers/uitp96.ps.gz},
  language = {USEnglish},
  classification = {workshop}
}
@inproceedings{klmw97,
  author = {Kolyang and C. L{\"u}th and T. Meier and B. Wolff},
  booktitle = {TAPSOFT 97: Theory and Practice of Software Development },
  editor = {M. Bidoit, M. Dauchet},
  pages = {855--858},
  publisher = {Springer Verlag},
  series = {LNCS 1214},
  doi = {10.1007/BFb0030646},
  title = {TAS and IsaWin: Generic Interfaces for Transformational
		  Program Development and Theorem Proving},
  year = 1997,
  ps = {http://www.informatik.uni-bremen.de/~bu/papers/tapsoft.ps.gz},
  language = {USEnglish},
  classification = {conference}
}
@inproceedings{klmw97b,
  author = {Kolyang and C. L{\"}uth and T. Meier and B. Wolff},
  booktitle = {Proceedings of the ``International Workshop for Tool
		  Support in Verification and Validation{\'{}}{\'{}}},
  editor = {K.Berghammer, J.Peleska, B. Buth},
  publisher = {Shaker Verlag},
  series = {BISS Monographs},
  title = {Generic Interfaces for Transformation Systems and
		  Interactive Theorem Provers. },
  year = 1997,
  ps = {http://www.informatik.uni-bremen.de/~bu/papers/tsv.ps.gz},
  language = {USEnglish},
  classification = {workshop}
}
@inproceedings{klsw95,
  author = {B. Krieg-Br{\"u}ckner and J. Liu and H. Shi and B. Wolff},
  booktitle = {KORSO --- Methods, Languages, and Tools for the
		  Construction of Correct Software},
  editor = {M. Broy and S. J{\"a}hnichen},
  pages = {270--284},
  publisher = {Springer Verlag},
  series = {LNCS 1009},
  title = {Towards Correct, Efficient and Re-usable Transformational
		  Developments},
  year = 1995,
  ps = {http://www.informatik.uni-bremen.de/~bu/papers/klsw37.kurz.ps.gz},
  language = {USEnglish},
  classification = {workshop}
}
@inproceedings{ksw96a,
  author = {Kolyang and T. Santen and B. Wolff},
  booktitle = {FME 96 --- Industrial Benefits and Advances in Formal
		  Methods},
  editor = {M.-C. Gaudel and J. Woodcock},
  pages = {629--648},
  publisher = {Springer Verlag},
  series = {LNCS 1051},
  title = {Correct and User-Friendly Implementation of Transformation Systems},
  year = 1996,
  abstract = {We present an approach to integrate several existing tools
		  and methods to a technical framework for correctly
		  developing and executing program transformations. The
		  resulting systems enable program derivations in a
		  user-friendly way. We illustrate the approach by proving
		  and implementing the transformation Global Search on the
		  basis of the tactical theorem prover Isabelle. A graphical
		  user-interface based on the X-Window toolkit Tk provides
		  user friendly access to the underlying machinery.},
  ps = {http://www.lri.fr/~wolff/papers/conf/yats.ps.gz},
  pdf = {http://www.lri.fr/~wolff/papers/conf/yats.pdf},
  language = {USEnglish},
  doi = {10.1007/3-540-60973-3_111},
  classification = {conference}
}
@inproceedings{ksw96b,
  author = {Kolyang and T. Santen and B. Wolff},
  booktitle = {Theorem Proving in Higher Order Logics --- 9th
		  International Conference},
  editor = {J. von Wright and J. Grundy and J. Harrison},
  pages = {283--298},
  publisher = {Springer Verlag},
  series = {LNCS 1125},
  title = {A Structure Preserving Encoding of Z in Isabelle/HOL},
  year = 1996,
  comment = {The distributed version is slightly corrected w.r.t. the
		  original one.},
  ps = {http://www.lri.fr/~wolff/papers/conf/SPEZ_HOL.R.23.ps.gz},
  pdf = {http://www.lri.fr/~wolff/papers/conf/SPEZ_HOL.R.23.pdf},
  language = {USEnglish},
  abstract = {We present a semantic representation of the core concepts
		  of the specification language Z in higher-order logic.
		  Although it is a ``shallow embedding{\'{}}{\'{}} like the
		  one presented by Bowen and Gordon, our representation
		  preserves the structure of a Z specification and avoids
		  expanding Z schemas. The representation is implemented in
		  the higher- order logic instance of the generic theorem
		  prover Isabelle. Its parser can convert the concrete syntax
		  of Z schemas into their semantic representation and thus
		  spare users from having to deal with the representation
		  explicitly. Our representation essentially conforms with
		  the latest draft of the Z standard and may give both a
		  clearer understanding of Z schemas and inspire the
		  development of proof calculi for Z.},
  classification = {conference}
}
@inproceedings{kw95,
  author = {Kolyang and B. Wolff},
  booktitle = {Beitr{\"a}ge der GI-Fachtagung ``Softwaretechnik
		  95{\'{}}{\'{}}, Braunschweig},
  editor = {G. Snelting},
  pages = {57--66},
  publisher = {GI},
  series = {Mitteilungen der Fachgruppen `Software Engineering{\'{}}
		  und `Requirements-Engineering{\'{}},Band 15, Heft 3, ISSN
		  0720-8928},
  title = {Development by Refinement Revisited: Lessons learnt from an example.},
  year = {1995},
  ps = {http://www.informatik.uni-bremen.de/~bu/papers/LEX.ps.gz},
  language = {USEnglish},
  classification = {workshop}
}
@article{luth.ea:functional:1999,
  author = {Christoph L{\"u}th and Burkhart Wolff},
  title = {Functional Design and Implementation of Graphical User
		  Interfaces for Theorem Provers},
  journal = {Journal of Functional Programming},
  year = 1999,
  volume = 9,
  number = 2,
  pages = {167-- 189},
  classification = {journal},
  doi = {10.1017/S0956796899003421},
  month = march,
  abstract = {This paper attempts to develop a metaphor suited to
		  visualize the LCF-style prover design, and a methodology
		  for the implementation of graphical user interfaces for
		  these provers and encapsulations of formal methods. In this
		  problem domain, particular attention has to be paid to the
		  need to construct a variety of objects, keep track of their
		  interdependencies and provide support for their
		  reconstruction as a consequence of changes. We present a
		  prototypical implementation of a generic and
		  open interface system architecture, and show how
		  it can be instantiated to an interface for Isabelle, called
		  IsaWin, as well as to a tailored tool for transformational
		  program development, called TAS.},
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/1999/fungui.ps.gz},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/1999/fungui.pdf}
}
@inproceedings{luth.ea:hol-z:1998,
  author = {Chritoph L{\"u}th and Einar W. Karlsen and Kolyang and
		  Stefan Westmeier and Burkhart Wolff},
  classification = {conference},
  booktitle = {11. International Conference of Z Users ZUM'98},
  editor = {J. Bowen},
  pages = {116--134},
  publisher = {Springer Verlag},
  series = {LNCS 1493},
  title = {{HOL-Z} in the {UniForM-Workbench} -- a Case Study in Tool
		  Integration for Z},
  year = 1998,
  doi = {10.1007/BFb0056029},
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/1998/zinuniform.ps.gz},
  abstract = {The UniForM-Workbench is an open tool-integration
		  environment providing type-safe communication, a toolkit
		  for graphical user-interfaces, version management and
		  configuration management. We demonstrate how to integrate
		  several tools for the Z specification language into the
		  workbench, obtaining an instantiation of the workbench
		  suited as a software development environment for Z. In the
		  core of the setting, we use the encoding HOL-Z of Z into
		  Isabelle as semantic foundation and for formal reasoning
		  with Z specifications. In addition to this, external tools
		  like editors and small utilities are integrated, showing
		  the integration of both self-developed and externally
		  developed tools. The resulting prototype demonstrates the
		  viability of our approach to combine public domain tools
		  into a generic software development environment using a
		  strongly typed functional language. }
}
@inproceedings{luth.ea:more:2000,
  author = {Christoph L{\"u}th and Burkhart Wolff},
  title = {More about {TAS} and {IsaWin}: Tools for Formal Program
		  Development},
  editor = {T. Maibaum},
  booktitle = {Fundamental Approaches to Software Engineering {FASE 2000}.
		  Joint European Conferences on Theory and Practice of
		  Software {ETAPS 2000}},
  year = 2000,
  language = {USenglish},
  classification = {conference},
  series = {Lecture Notes in Computer Science},
  pages = {367-- 370},
  publisher = {Springer Verlag},
  number = 1783,
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2000/sysdesc.ps.gz},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2000/sysdesc.pdf.gz},
  abstract = {We present a family of tools for program development and
		  verification, compris\- ing the transformation system TAS
		  and the theorem proving interface IsaWin. Both are based on
		  the theorem prover Isabelle, which is used as a generic
		  logical framework here. A graphical user interface, based
		  on the principle of di\- rect manipulation, allows the user
		  to interact with the tool without having to concern himself
		  with the details of the representation within the theorem
		  prover, leaving him to concentrate on the main design
		  decisions of program development or theorem proving. The
		  tools form an integrated system for formal program
		  development, in which TAS is used for transformational
		  program development, and IsaWin for discharging the
		  incurred proof obligations. However, both tools can be used
		  sep\- arately as well. Further, the tools are generic over
		  the formal method employed. In this extended abstract, we
		  will first give a brief overview over TAS and IsaWin. Since
		  TAS and IsaWin have been presented on previous ETAPS
		  conferences, the presentation will highlight the new
		  features as sketched out below. }
}
@techreport{luth.ea:smltk:2001,
  abstract = {In this reference manual, we describe the SML-based
		  programming environment sml_tk for graphical user
		  interfaces, version 3.0. sml_tk is based on the highly
		  portable X-Window Toolkit Tk (and uses internally the
		  Tcl/Tk interpreter wish), but offers functional abstraction
		  over Tk and an own component library for graphical standard
		  widgets such as info-boxes, treelist-widgets, tabs and
		  tables. sml_tk is the basic library for a collection of
		  GUIs for formal method tools such as TAS and IsaWin.},
  author = {Christoph L{\"u}th and Burkhart Wolff},
  classification = {unrefereed},
  institution = {Albert-Ludwigs-Universit{\"a}t Freiburg},
  language = {english},
  month = {July},
  number = 158,
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2001/manual.pdf},
  title = {sml\_tk: Functional Programming for GUIs -- Reference
		  Manual},
  year = 2001
}
@inproceedings{luth.ea:tas:2000,
  author = {Christoph L{\"u}th and Burkhart Wolff},
  title = {{TAS} --- A Generic Window Inference System},
  editor = {J. Harrison and M. Aagaard},
  booktitle = {Theorem Proving in Higher Order Logics: 13th International Conference, TPHOLs 2000},
  year = 2000,
  classification = {conference},
  series = {Lecture Notes in Computer Science},
  pages = {405--422},
  publisher = {Springer Verlag},
  number = 1869,
  pdf = {http://www.lri.fr/~wolff/papers/conf/TAS-tphols00.pdf},
  language = {USenglish},
  abstract = {This paper presents work on technology for
		  transformational proof and program development, as used by
		  window inference calculi and transformation systems. The
		  calculi are characterised by a certain class of theorems in
		  the underlying logic. Our transformation system TAS
		  compiles these rules to concrete deduction support,
		  complete with a graphical user interface with
		  command-language-free user interaction by gestures like
		  drag&drop and proof-by-pointing, and a development
		  management for transformational proofs. It is
		  generic in the sense that it is completely
		  independent of the particular window inference or
		  transformational calculus, and can be instantiated to many
		  different ones; three such instantiations are presented in
		  the paper.}
}
@inproceedings{lwkww98a,
  author = {C. L{\"u}th and E. W. Karlsen and Kolyang and S. Westmeier
		  and B. Wolff},
  booktitle = {Workshop on Tool Support for System Specification,
		  Development, and Verification},
  editor = {Berghammer and Hoffmann},
  title = {Tool integration in the UniForM Workbench},
  year = 1998,
  ps = {http://www.lri.fr/~wolff/papers/conf/tools.ps.gz},
  language = {USEnglish},
  abstract = {The UniForM-Workbench is an open tool-integration
		  environment providing type-safe communication, a toolkit
		  for graphical user-interfaces, version management and
		  configuration management. We demonstrate how to integrate
		  several tools for the Z specification language into the
		  workbench, obtaining an instantiation of the workbench
		  suited as a software development environment for Z. In the
		  core of the setting, we use the encoding HOL-Z of Z into
		  Isabelle as semantic foundation and for formal reasoning
		  with Z specifications. In addition to this, external tools
		  like editors and small utilities are integrated, showing
		  the integration of both self-developed and externally
		  developed tools. The resulting prototype demonstrates the
		  viability of our approach to combine public domain tools
		  into a generic software development environment using a
		  strongly typed functional language. },
  classification = {workshop}
}
@techreport{lww96,
  author = {C. L{\"u}th and S. Westmeier and B. Wolff},
  institution = {Universit{\"a}t Bremen},
  title = {sml_tk: Functional Programming for Graphical User
		  Interfaces},
  number = {8/96},
  year = 1996,
  comment = {outdated version 2.1},
  ps = {http://www.informatik.uni-bremen.de/~cxl/sml_tk/doc/Titel.ps.gz;
		  http://www.informatik.uni-bremen.de/~cxl/sml_tk/doc/DOC.ps.gz},
  language = {USEnglish},
  classification = {unrefereed}
}
@inproceedings{meyer.ea:correct:2000,
  author = {T. Meyer and Burkhart Wolff},
  title = {Correct Code-Generation in a Generic Framework},
  editor = {M. Aargaard and J. Harrison and T. Schubert},
  classification = {workshop},
  booktitle = {TPHOLs 2000: Supplemental Proceedings},
  year = 2000,
  series = {OGI Technical Report CSE 00-009},
  pages = {213--230},
  month = jul,
  organization = {Oregon Graduate Institute, Portland, USA},
  ps = {http://www.lri.fr/~wolff/papers/conf/CodeGen.ps.gz},
  pdf = {http://www.lri.fr/~wolff/papers/conf/CodeGen.pdf},
  language = {USenglish},
  abstract = {One major motivation for theorem provers is the
		  development of verified programs. In particular, synthesis
		  or transformational development techniques aim at a
		  formalised conversion of the original specification to a
		  final formula meeting some notion of executability. We
		  present a framework to describe such notions, a method to
		  formally investigate them and instantiate it for three
		  executable languages, based on three different forms of
		  recursion (two denotational and one based on well-founded
		  recursion) and develop their theory in Isabelle/HOL. These
		  theories serve as a semantic interface for a generic
		  code-generator which is set up for each program notion with
		  an individual code-scheme for SML.}
}
@incollection{meyer.ea:tactic-based:2005,
  abstract = {Within a framework of correct code-generation from
		  HOLspecifications, we present a particular instance
		  concerned with the optimized compilation of a lazy language
		  (called MiniHaskell) to a strict language (called MiniML).
		  Both languages are defined as shallow embeddings into
		  denotational semantics based on Scott s cpo s, leading to a
		  derivation of the corresponding operational semantics in
		  order to cross-check the basic definitions. On this basis,
		  translation rules from one language to the other were
		  formally derived in Isabelle/HOL. Particular emphasis is
		  put on the optimized compilation of function applications
		  leading to the side-calculi inferring e.g. strictness of
		  functions. The derived rules were grouped and set-up as an
		  instance of our generic, tactic-based translator for
		  specifications to code.},
  author = {Thomas Meyer and Burkhart Wolff},
  booktitle = {Types for Proofs and Programs (TYPES 2004)},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/11617990_13},
  editor = {Jean-Christophe Filliatre and Christine Paulin and Benjamin Werner},
  language = {USenglish},
  month = 8,
  pages = {202--215},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications/papers/2005/2_optcom.pdf},
  publisher = {Springer Verlag},
  series = {LNCS 3839},
  title = {Tactic-based Optimized Compilation of Functional
		  Programs},
  year = 2005,
  classification = {workshop},
  user = {wolff}
}
@inproceedings{rauch.ea:formalizing:2003,
  abstract = {We present a formal model of the Java two's-complement
		  integral arithmetics. The model directly formalizes the
		  arithmetic operations as given in the Java Language
		  Specification (JLS). The algebraic properties of these
		  definitions are derived. Underspecifications and
		  ambiguities in the JLS are pointed out and clarified. The
		  theory is formally analyzed in Isabelle/HOL, that is,
		  machine-checked proofs for the ring properties and
		  divisor/remainder theorems etc. are provided. This work is
		  suited to build the framework for machine-supported
		  reasoning over arithmetic formulae in the context of Java
		  source-code verification.},
  author = {Nicole Rauch and Burkhart Wolff},
  booktitle = {Electronic Notes in Theoretical Computer Science},
  language = {USenglish},
  pdf = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2003/0_fmics03.pdf},
  classification = {workshop},
  publisher = {Elsevier Science Publishers},
  title = {Formalizing Java's Two's-Complement Integral Type in
		  Isabelle/HOL},
  volume = 80,
  year = 2003
}
@techreport{rauch.ea:formalizing:2004,
  abstract = {We present a formal model of Java two’s-complement
		  integral arithmetics. The model directly formalizes the
		  artihmetic operations as given in the Java Language
		  Specification (JLS). The algebraic properties of these
		  definitions are derived. Underspecifications and
		  ambiguities in the JLS are pointed out and clarified. The
		  theory is formally analyzed in Isabelle/HOL that is,
		  machine-checked proofs for the ring properties and
		  divisor/remainder theorems etc. are provided. This work is
		  suited to build the framework for machine-supported
		  reasoning over arithmetic formulae in the context of Java
		  source-code verification. },
  author = {Nicole Rauch and Burkhart Wolff},
  institution = {ETH Z\"urich},
  language = {USenglish},
  month = 11,
  number = 458,
  pdf = {old papers},
  title = {Formalizing Java's Two's-Complement Integral Type in
		  Isabelle/HOL},
  year = 2004,
  classification = {unrefereed},
  user = {wolff}
}
@inproceedings{tw97,
  author = {H. Tej and B. Wolff},
  booktitle = {Proceedings of the FME 97 --- Industrial Applications and
		  Strengthened Foundations of Formal Methods},
  editor = {J. Fitzgerald and C.B. Jones and P. Lucas},
  pages = {318--337},
  publisher = {Springer Verlag},
  series = {LNCS 1313},
  title = {A Corrected Failure-Divergence Model for CSP in
		  Isabelle/HOL},
  year = 1997,
  ps = {http://www.lri.fr/~wolff/papers/conf/CSP.ps.gz},
  pdf = {http://www.lri.fr/~wolff/papers/conf/CSP.pdf},
  language = {USEnglish},
  doi = {10.1007/3-540-63533-5_17},
  abstract = {We present a failure-divergence model for CSP following
		  the concepts of [BR 85]. Its formal representation within
		  higher order logic in the theorem prover Isabelle/HOL [Pau
		  94] revealed an error in the basic definition of CSP
		  concerning the treatment of the termination symbol tick. A
		  corrected model has been formally proven consistent with
		  Isabelle HOL. Moreover, the changed version maintains the
		  essential algebraic properties of CSP. As a result, there
		  is a proven correct implementation of a ``CSP
		  workbench{\'{}}{\'{}} within Isabelle. },
  classification = {conference}
}
@unpublished{LTW98,
  author = {Haykal Tej and Christoph L\"uth and Burkhart Wolff},
  title = {Generic Transformational Program Development.},
  note = {Unpublished Paper.},
  pdf = {http://www.lri.fr/~wolff/papers/conf/gentraf.pdf},
  year = 1998,
  classification = {unrefereed}
}
@incollection{wenzel.ea:building:2007,
  abstract = {We present the generic system framework of
		  Isabelle/Isarunderlying recent versions of Isabelle. Among
		  other things, Isar provides an infrastructure for Isabelle
		  plug-ins, comprising extensible state components and
		  extensible syntax that can be bound to tactical ML
		  programs. Thus the Isabelle/Isar architecture may be
		  understood as an extension and refinement of the
		  traditional "LCF approach", with explicit infrastructure
		  for building derivative systems. To demonstrate the
		  technical potential of the framework, we apply it to a
		  concrete formalmethods tool: the HOL-Z 3.0 environment,
		  which is geared towards the analysis of Z specifications
		  and formal proof of forward-refinements.},
  author = {Makarius Wenzel and Burkhart Wolff},
  booktitle = {TPHOLs 2007},
  copyright = {\copyright Springer-Verlag},
  doi = {10.1007/978-3-540-74591-4_26},
  editor = {Klaus Schneider and Jens Brandt},
  language = {USenglish},
  pages = {351--366},
  pdf = {http://www.lri.fr/~wolff/papers/conf/2007-tphols-isar-tool-framework.pdf},
  publisher = {Springer-Verlag},
  series = {LNCS 4732},
  title = {Building Formal Method Tools in the Isabelle/Isar Framework},
  year = 2007,
  classification = {conference},
  user = {wolff}
}
@thesis{wolff05,
  author = {Burkhart Wolff},
  title = {Correct Tools for Formal Methods in Software Engineering},
  publisher = {Universit{\"a}t Freiburg},
  year = 2005,
  language = {USEnglish},
  abstract = {The development of \emph{tools} for program analysis,
		  verification and refinement is a prerequisite for the
		  proliferation of formal methods in industry and research.
		  While most tools were directly implemented in a programming
		  language, the ultimate goal of this work is to represent
		  widely known formal methods in a so-called \emph{logical
		  framework} \textbf{by their semantics} using a particular
		  representation technique --- called \emph{shallow
		  embedding} --- motivated by more efficient deduction. Based
		  on this representation, symbolic computations in tool
		  implementations can be based on formally proven correct
		  \emph{derived rules}. As such, this correctness-oriented
		  approach has been known for a while and has been criticized
		  for a number of shortcomings: \begin{enumerate} \item the
		  application range of embeddings in logical frameworks is
		  limited to very small and artificially designed languages,
		  \item their application is impossible when the formal
		  specification method is still under development, \item
		  embedding the semantics conservatively and deriving some
		  rules on this basis does not imply that there is a
		  comprehensive support of a method that is technically
		  powerful enough for applications, \item the integration in
		  a more global software engineering process and its
		  pragmatics is too difficult, and \item the usability of
		  embeddings is doubtful even if one is targeting at the
		  (fairly small market of) proof environments.
		  \end{enumerate} In contrast to this criticism, we claim
		  that our approach is feasible. We substantiate this by
		  developing: \begin{enumerate} \item suitable embeddings for
		  widely used formal methods, including process-oriented,
		  data-oriented and object-oriented specification methods
		  (CSP, Z, UML/OCL), \item abstractions and aspect-oriented
		  structuring techniques allowing for the quick development
		  of semantic variants enabling the study consequences of
		  changes in formal methods under development (like UML/OCL),
		  \item particular techniques for generating library
		  theories, for supporting particular deduction styles in
		  proofs, for specialized deduction support for concrete
		  development methodologies, \item different scenarios of the
		  integration of the developed tools in conventional tool
		  chains in software engineering, and \item front-ends for
		  light-weight integration into tool chains (like HOL-Z 2.0)
		  or prototypic encapsulation of logical embeddings into
		  generic graphical user-interfaces for a more comprehensive
		  encapsulation. \end{enumerate} Finally, we validate one of
		  these tool chains (HOL-Z 2.0) by a substantial case-study
		  in the field of computer security. },
  note = {Habilitationsschrift},
  classification = {book},
  url = {http://www.lri.fr/~wolff/papers/other/habilschrift.pdf}
}
@phdthesis{wolff97,
  author = {B. Wolff},
  title = {A Generic Calculus of Transformations},
  school = {Universit{\"a}t Bremen},
  pubisher = {Shaker-Verlag},
  address = {Aachen},
  isbn = {3-8265-3654-1},
  year = 1997,
  ps = {http://www.lri.fr/~wolff/papers/other/diss.tar.gz},
  language = {USEnglish},
  abstract = {\textbf{Binding structures} enrich traditional abstract
		  syntax by providing support for representing binding
		  mechanisms (based on deBruijn indices), term-schemata and a
		  very clean algebraic theory of substitution. We provide the
		  following main results: \begin{itemize} \item The
		  establishment of a \emph{generic} binding structure with
		  the novel concept of effect-binding that enables the
		  representations of both signatures and formulas (i.e.
		  specifications) inside one term meta- language, \item The
		  foundation of a formal (machine-assisted) substitution
		  theory of effect-binding that is well-suited for
		  mechanisation. This may contribute to the construction of
		  tools such as theorem provers, program transformers, static
		  analysers, evaluators and optimising compilers, \item The
		  foundation of a rigorous meta-theory for rewriting on
		  effect- binding-structures. The resulting rewrite notion
		  transformation extends combinatory rewrite systems to
		  rewrites on specifications. \end{itemize} The corner stone
		  of this theory is a confluence proof for orthogonal
		  transformations (partly implemented in the proof assistant
		  Isabelle). },
  classification = {book}
}
@techreport{wolff:ea:mixe:2002,
  author = {Burkhart Wolff and Oliver Berthold and Sebastian Clau{\ss}
		  and Hannes Federrath and Stefan K{\"o}psell and Andreas
		  Pfitzmann},
  title = {Towards a Formal Analysis of a Mix Network},
  institution = {Albert-Ludwigs-Universit{\"a}t Freiburg},
  year = 2002,
  series = {Technical Report},
  number = 171,
  issn = 14341719,
  pdf = {http://www.lri.fr/~wolff/papers/other/tr01.pdf},
  language = {USEnglish},
  classification = {unrefereed}
}
@inproceedings{wolff:verifying:2001,
  abstract = {Binding structures enrich traditional abstract syntax by
		  provi-ding support for representing binding mechanisms
		  (based on deBruijn indices), term-schemata and a very clean
		  algebraic theory of substitution. Weprovide a novel binding
		  structure with the following main results: 1) The
		  formalisation of a generic binding structure with the novel
		  conceptof effect-binding that enables the explicit
		  representations of both contexts and terms inside one term
		  meta-language,2) The foundation of a formal
		  (machine-assisted) substitution theory of effect-binding
		  that is well-suited for mechanisation. This can be used for
		  thesystematic and correct development of new calculi with
		  explicit substitutions.The substitution theory is formally
		  proven in Isabelle/HOL; the implementation may serve as
		  (untyped) framework for deep embeddings.},
  author = {Burkhart Wolff},
  classification = {proceedings},
  booktitle = {Workshop on Explicit Substitution Theory and Applications
		  (WESTAPP'01)},
  editor = {Pierre Lescanne},
  isbn = {90-393-2764-5},
  language = {english},
  month = {May},
  pages = {58 -- 71},
  ps = {http://kisogawa.ethz.ch/WebBIB/publications-softech/papers/2001/BiSE.ps.gz},
  publisher = {Department of Philosophy - Utrecht University},
  series = {Logic Group Preprint Series},
  title = {Verifying Explicit Substitution Calculi in Binding
		  Structures with Effect Binding},
  classification = {workshop},
  volume = 210,
  year = 2001
}
@incollection{brucker.ea:ocl-null:2009,
  author = {Achim D. Brucker and Matthias P. Krieger and Burkhart
                  Wolff},
  booktitle = {MODELS 2009 Workshops},
  series = {LNCS 6002},
  editor = {S. Ghosh},
  pages = {261--275},
  language = {USenglish},
  publisher = {Springer Verlag, Heidelberg},
  title = {Extending {OCL} with Null-References},
  year = 2009,
  classification = {workshop},
  categories = {holocl},
  location = {Denver, Colorado, \acs{usa}},
  areas = {formal methods, software},
  public = {yes},
  abstract = {From its beginnings, OCL is based on a strict semantics
                  for undefinedness, with the exception of the logical
                  connectives of type Boolean that constitute a three-valued
                  propositional logic. Recent versions of the OCL standard
                  added a second exception element, which, similar to the
                  null references in object-oriented programming languages,
                  is given a non-strict semantics. Unfortunately, this
                  extension has been done in an ad hoc manner, which results
                  in several inconsistencies and contradictions.

                  In this paper, we present a consistent formal semantics
                  (based on our \holocl approach) that includes such a
                  non-strict exception element. We discuss the possible
                  consequences concerning class diagram semantics as well as
                  deduction rules. The benefits of our approach for the
                  specification-pragmatics of design level operation
                  contracts are demonstrated with a small case-study.},
  bibkey = {brucker.ea:ocl-null:2009},
  pdf = {http://www.brucker.ch/bibliography/download/2009/brucker.ea-ocl-null-2009.pdf},
  ps = {http://www.brucker.ch/bibliography/download/2009/brucker.ea-ocl-null-2009.ps.gz},
  keywords = {\holocl, UML, OCL, null reference, formal semantics},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-null-2009},
  note = {Best-Paper Award at the OCL 2009 Workshop.},
  ee = {http://dx.doi.org/10.1007/978-3-642-12261-3_25},
  doi = {10.1007/978-3-642-12261-3_25}
}
@techreport{brucker.ea:hol-testgen:2010,
  author = {Achim D. Brucker and Lukas Br{\"u}gger and Matthias P.
		  Krieger and Burkhart Wolff},
  institution = {ETH Zurich},
  language = {USenglish},
  month = {April},
  number = 670,
  pdf = {http://www.lri.fr/~wolff/papers/other/HOL-TestGen_UserGuide.pdf},
  title = {{HOL-TestGen} 1.5.0 User Guide},
  year = 2010
}
@techreport{brucker.ea:path-expressions:2013-b,
  author = {Achim D. Brucker and Delphine Longuet and Fr{\'e}d{\'e}ric
		  Tuong and Burkhart Wolff},
  title = {On the Semantics of Object-oriented Data Structures and
		  Path Expressions (Extended Version)},
  booktitle = {Workshop on OCL and Textual Modelling (OCL 2013)},
  year = {2013},
  abstract = { \UML/\OCL is perceived as the de-facto standard for
		  specifying object-oriented models in general and data
		  models in particular. Since recently, all data types of
		  \UML/\OCL comprise two different exception elements:
		  \inlineocl{invalid} (``bottom'' in semantics terminology)
		  and \inlineocl{null} (for ``non-existing element''). This
		  has far-reaching consequences on both the logical and
		  algebraic properties of \OCL expressions as well as the
		  path expressions over object-oriented data structures, \ie,
		  class models.
		  
		  In this paper, we present a formal semantics for
		  object-oriented data models in which all data types and,
		  thus, all class attributes and path expressions, support
		  \inlineocl{invalid} and \inlineocl{null}. Based on this
		  formal semantics, we present a set of \OCL test cases that
		  can be used for evaluating the support of \inlineocl{null}
		  and \inlineocl{invalid} in \OCL tools.},
  classification = {unrefereed},
  categories = {holocl},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-path-expressions-2013-b},
  number = {1565},
  institution = {Laboratoire en Recherche en Informatique (LRI),
		  Universit\'e Paris-Sud 11, France},
  areas = {formal methods, software},
  keywords = { Object-oriented Data Structures, Path Expressions,
		  Featherweight OCL, Null, Invalid, Formal Semantics},
  public = {yes},
  pdf = {http://www.brucker.ch/bibliography/download/2013/brucker.ea-path-expressions-2013-b.pdf}
}
@article{brucker.ea:featherweight:2014,
  author = {Achim D. Brucker and Fr{\'e}d{\'e}ric Tuong and Burkhart
		  Wolff},
  title = {Featherweight OCL: A Proposal for a Machine-Checked Formal
		  Semantics for OCL 2.5},
  journal = {Archive of Formal Proofs},
  month = jan,
  year = {2014},
  note = {\url{http://afp.sf.net/entries/Featherweight_OCL.shtml},
		  Formal proof development},
  issn = {2150-914x},
  abstract = {The Unified Modeling Language (UML) is one of the few
		  modeling languages that is widely used in industry. While
		  UML is mostly known as diagrammatic modeling language
		  (e.g., visualizing class models), it is complemented by a
		  textual language, called Object Constraint Language (OCL).
		  OCL is based on a three-valued logic that turns UML into a
		  formal language. Unfortunately the semantics of this
		  specification language, captured in the "Annex A" of the
		  OCL standard, leads to different interpretations of corner
		  cases. We formalize the core of OCL: denotational
		  definitions, a logical calculus and operational rules that
		  allow for the execution of OCL expressions by a mixture of
		  term rewriting and code compilation. Our formalization
		  reveals several inconsistencies and contradictions in the
		  current version of the OCL standard. Overall, this document
		  is intended to provide the basis for a machine-checked text
		  "Annex A" of the OCL standard targeting at tool
		  implementors.},
  public = {yes},
  classification = {formal},
  categories = {holocl},
  pdf = {http://www.brucker.ch/bibliography/download/2014/brucker.ea-featherweight-2014.pdf},
  filelabel = {Outline},
  file = {http://www.brucker.ch/bibliography/download/2014/brucker.ea-featherweight-outline-2014.pdf},
  areas = {formal methods, software},
  url = {http://www.brucker.ch/bibliography/abstract/brucker.ea-featherweight-2014}
}
@inproceedings{nguyenvan_et_al:LIPIcs:2020:12983,
  author = {Hai Nguyen Van and Fr{\'e}d{\'e}ric Boulanger and Burkhart Wolff},
  title = {{TESL: A Model with Metric Time for Modeling and Simulation}},
  booktitle = {27th International Symposium on Temporal Representation and Reasoning (TIME 2020)},
  pages = {15:1--15:15},
  series = {Leibniz International Proceedings in Informatics (LIPIcs)},
  isbn = {978-3-95977-167-2},
  issn = {1868-8969},
  year = {2020},
  volume = {178},
  editor = {Emilio Mu{\~n}oz-Velasco and Ana Ozaki and Martin Theobald},
  publisher = {Schloss Dagstuhl--Leibniz-Zentrum f{\"u}r Informatik},
  address = {Dagstuhl, Germany},
  url = {https://drops.dagstuhl.de/opus/volltexte/2020/12983},
  urn = {urn:nbn:de:0030-drops-129837},
  doi = {10.4230/LIPIcs.TIME.2020.15},
  annote = {Keywords: Timed Systems, Semantics, Models, Simulation}
}
@inproceedings{DBLP:conf/formats/VanBBKVW20,
  author = {Hai Nguyen Van and
               Thibaut Balabonski and
               Fr{\'{e}}d{\'{e}}ric Boulanger and
               Chantal Keller and
               Beno{\^{\i}}t Valiron and
               Burkhart Wolff},
  title = {On the Semantics of Polychronous Polytimed Specifications},
  booktitle = {Formal Modeling and Analysis of Timed Systems - 18th International
               Conference, {FORMATS} 2020, Vienna, Austria, September 1-3, 2020,
               Proceedings},
  pages = {23--40},
  year = {2020},
  url = {https://doi.org/10.1007/978-3-030-57628-8\_2},
  doi = {10.1007/978-3-030-57628-8\_2},
  pdf = {https://www.lri.fr/~wolff/papers/conf/2020-Formats-SPPS.pdf},
  timestamp = {Tue, 25 Aug 2020 15:34:38 +0200},
  biburl = {https://dblp.org/rec/conf/formats/VanBBKVW20.bib},
  bibsource = {dblp computer science bibliography, https://dblp.org}
}

This file was generated by bibtex2html 1.96.