comp.lang.ada
 help / color / mirror / Atom feed
From: stefan-lucks@see-the.signature
Subject: Re: Silly and stupid post‑condition or not ?
Date: Thu, 2 Feb 2012 10:18:03 +0100
Date: 2012-02-02T10:18:03+01:00	[thread overview]
Message-ID: <Pine.LNX.4.64.1202021002060.7297@medsec1.medien.uni-weimar.de> (raw)
In-Reply-To: <oxvm5rgonh77$.135nqc7uxq9wr$.dlg@40tude.net>

On Thu, 2 Feb 2012, Dmitry A. Kazakov wrote:

> >   procedure Ask_Database(U: User; Q: Query; R: out Response)
> >     with post(if (not Authorized(U)) and (Asks_For_Secret_Stuff(Q)) 
> >               then R=Empty_Response);
> 
> BTW, contracts to be stated in terms of equivalence rather than
> implications. I.e.
> 
>    R=Empty_Response <=> not Authorized(U)) or ...

Why?

These implications are what you would typically find in a security 
requirements specification. (In human-readable way, such as "if an 
unauthorized user asks for any confidential data, no answer is provided by 
the XY system.")

What is the point of rewriting this in terms of equivalence? You run the 
trouble of proving that your rewritten contract is logically equivalent to 
the requirements specification. (Or you risk proving your program correct 
with respect to an incorrect spec.)

-- 
---- Stefan.Lucks (at) uni-weimar.de, University of Weimar, Germany  ----
    <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
------  I  love  the  taste  of  Cryptanalysis  in  the  morning!  ------




  parent reply	other threads:[~2012-02-02  9:16 UTC|newest]

Thread overview: 84+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-30 23:11 Silly and stupid post‑condition or not ? Yannick Duchêne (Hibou57)
2012-01-31  6:47 ` J-P. Rosen
2012-01-31 18:48   ` Jeffrey Carter
2012-01-31 22:02     ` Yannick Duchêne (Hibou57)
2012-01-31  8:54 ` Dmitry A. Kazakov
2012-01-31  9:35   ` Georg Bauhaus
2012-01-31 10:22     ` Dmitry A. Kazakov
2012-01-31 12:33       ` Georg Bauhaus
2012-01-31 13:52         ` Dmitry A. Kazakov
2012-01-31 15:34           ` Georg Bauhaus
2012-01-31 16:24             ` Dmitry A. Kazakov
2012-01-31 19:44               ` Georg Bauhaus
2012-02-01  8:41                 ` Dmitry A. Kazakov
2012-02-01 10:37                   ` stefan-lucks
2012-02-01 10:51                     ` Yannick Duchêne (Hibou57)
2012-02-01 13:49                     ` Yannick Duchêne (Hibou57)
2012-02-01 13:49                     ` Dmitry A. Kazakov
2012-02-01 16:37                       ` stefan-lucks
2012-02-02  1:50                         ` Silly and stupid post�?'condition " Randy Brukardt
2012-02-02  1:56                           ` Silly and stupid postâ?'condition or not ? Yannick Duchêne (Hibou57)
2012-02-03  2:45                             ` Silly and stupid post�?'condition or not ? Randy Brukardt
2012-02-02  8:25                         ` Silly and stupid post‑condition " Dmitry A. Kazakov
2012-02-02  9:01                           ` stefan-lucks
2012-02-02  9:18                           ` stefan-lucks [this message]
2012-02-02 10:04                             ` Dmitry A. Kazakov
2012-01-31 22:08         ` Yannick Duchêne (Hibou57)
2012-01-31 17:28 ` Dmitry A. Kazakov
2012-01-31 22:12   ` Yannick Duchêne (Hibou57)
2012-02-01  8:49     ` Dmitry A. Kazakov
2012-02-01  8:36 ` Stephen Leake
2012-02-01 16:30   ` Silly and stupid post-condition " Adam Beneschan
2012-02-02  9:40     ` Stephen Leake
2012-02-02 13:20       ` Georg Bauhaus
2012-02-02 13:35         ` Yannick Duchêne (Hibou57)
2012-02-03  3:13       ` Randy Brukardt
2012-02-03  3:33         ` Yannick Duchêne (Hibou57)
2012-02-03  8:12         ` Simon Wright
2012-02-07  2:29           ` BrianG
2012-02-07 10:43             ` Simon Wright
2012-02-08  2:25               ` BrianG
2012-02-07 21:15             ` Robert A Duff
2012-02-03  9:11         ` Dmitry A. Kazakov
2012-02-04  3:27           ` Randy Brukardt
2012-02-04 10:15             ` Dmitry A. Kazakov
2012-02-03 12:25         ` Phil Thornley
2012-02-04  9:30         ` Phil Thornley
2012-02-04 12:02         ` Phil Thornley
2012-02-05  6:18           ` Randy Brukardt
2012-02-05 10:23             ` Phil Thornley
2012-02-05 10:55               ` Yannick Duchêne (Hibou57)
2012-02-05 15:03               ` Robert A Duff
2012-02-05 18:04                 ` Phil Thornley
2012-02-05 21:27                   ` Robert A Duff
2012-02-05 23:09                     ` Phil Thornley
2012-02-07  2:05               ` Randy Brukardt
2012-02-07  9:38                 ` Dmitry A. Kazakov
2012-02-05 11:31             ` Yannick Duchêne (Hibou57)
2012-02-05 14:50             ` Robert A Duff
2012-02-07  2:11               ` Randy Brukardt
2012-02-07  2:34             ` BrianG
2012-02-07  4:38               ` Yannick Duchêne (Hibou57)
2012-02-09  3:10               ` Randy Brukardt
2012-02-04 23:07         ` Stephen Leake
2012-02-05  2:49           ` Yannick Duchêne (Hibou57)
2012-02-05  6:29           ` Randy Brukardt
2012-02-05 11:40             ` Yannick Duchêne (Hibou57)
2012-02-07  1:36               ` Randy Brukardt
2012-02-05 15:16             ` Robert A Duff
2012-02-06  4:56               ` Yannick Duchêne (Hibou57)
2012-02-06 14:39                 ` Robert A Duff
2012-02-06 16:12                   ` Yannick Duchêne (Hibou57)
2012-02-07  1:46               ` Randy Brukardt
2012-02-07 17:24                 ` Robert A Duff
2012-02-03  6:26       ` J-P. Rosen
2012-02-03  9:12         ` Dmitry A. Kazakov
2012-02-03  9:48           ` Yannick Duchêne (Hibou57)
2012-02-03 11:09             ` Dmitry A. Kazakov
2012-02-03 11:40               ` Yannick Duchêne (Hibou57)
2012-02-03 13:18                 ` Dmitry A. Kazakov
2012-02-03 14:14                   ` Yannick Duchêne (Hibou57)
2012-02-03 14:45                     ` Dmitry A. Kazakov
2012-02-04  3:16           ` Randy Brukardt
2012-02-04  6:27             ` Yannick Duchêne (Hibou57)
2012-02-04 10:47             ` Dmitry A. Kazakov

replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox