diff --git a/examples/scholarly_paper/2022-phd-poster/ROOT b/examples/scholarly_paper/2022-phd-poster/ROOT
new file mode 100644
index 0000000..e21eb1e
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/ROOT
@@ -0,0 +1,26 @@
+session "2022-phd-poster" = "Isabelle_DOF" +
+  options [document = pdf, document_output = "output", document_build = dof,
+    document_comment_latex = true]
+  theories
+    "paper"
+  document_files
+    "isadof.cfg"
+    "root.bib"
+    "preamble.tex"
+    "lstisadof.sty"
+    "figures/afp_growth_in_number_of_articles.png"
+    "figures/classes_with_invariant.png"
+    "figures/code_antiquotations.png"
+    "figures/dof_classes.png"
+    "figures/dof_document.png"
+    "figures/invariant_preserved.png"
+    "figures/local_ontology.png"
+    "figures/morphism.png"
+    "figures/odl.png"
+    "figures/ontological_context.png"
+    "figures/output.png"
+    "figures/reference_ontology.png"
+    "figures/sml_code_with_antiquotations.png"
+    "figures/text_element.png"
+    "figures/text_element_with_formal_content.png"
+    "figures/theories_hierarchy.png"
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/afp_growth_in_number_of_articles.png b/examples/scholarly_paper/2022-phd-poster/document/figures/afp_growth_in_number_of_articles.png
new file mode 100644
index 0000000..2a1a8c3
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/afp_growth_in_number_of_articles.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/classes_with_invariant.png b/examples/scholarly_paper/2022-phd-poster/document/figures/classes_with_invariant.png
new file mode 100644
index 0000000..63a7355
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/classes_with_invariant.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/code_antiquotations.png b/examples/scholarly_paper/2022-phd-poster/document/figures/code_antiquotations.png
new file mode 100644
index 0000000..91184b4
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/code_antiquotations.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/dof_classes.png b/examples/scholarly_paper/2022-phd-poster/document/figures/dof_classes.png
new file mode 100644
index 0000000..8c18f7e
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/dof_classes.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/dof_document.png b/examples/scholarly_paper/2022-phd-poster/document/figures/dof_document.png
new file mode 100644
index 0000000..0ea3331
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/dof_document.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/invariant_preserved.png b/examples/scholarly_paper/2022-phd-poster/document/figures/invariant_preserved.png
new file mode 100644
index 0000000..bcd249d
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/invariant_preserved.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/local_ontology.png b/examples/scholarly_paper/2022-phd-poster/document/figures/local_ontology.png
new file mode 100644
index 0000000..8635c30
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/local_ontology.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/morphism.png b/examples/scholarly_paper/2022-phd-poster/document/figures/morphism.png
new file mode 100644
index 0000000..a2871e2
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/morphism.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/odl.png b/examples/scholarly_paper/2022-phd-poster/document/figures/odl.png
new file mode 100644
index 0000000..fbe7c34
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/odl.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/ontological_context.png b/examples/scholarly_paper/2022-phd-poster/document/figures/ontological_context.png
new file mode 100644
index 0000000..c4ed1e4
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/ontological_context.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/output.png b/examples/scholarly_paper/2022-phd-poster/document/figures/output.png
new file mode 100644
index 0000000..01b0797
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/output.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/reference_ontology.png b/examples/scholarly_paper/2022-phd-poster/document/figures/reference_ontology.png
new file mode 100644
index 0000000..b45fb99
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/reference_ontology.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/sml_code_with_antiquotations.png b/examples/scholarly_paper/2022-phd-poster/document/figures/sml_code_with_antiquotations.png
new file mode 100644
index 0000000..35f724a
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/sml_code_with_antiquotations.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/text_element.png b/examples/scholarly_paper/2022-phd-poster/document/figures/text_element.png
new file mode 100644
index 0000000..2fc7ef8
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/text_element.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/text_element_with_formal_content.png b/examples/scholarly_paper/2022-phd-poster/document/figures/text_element_with_formal_content.png
new file mode 100644
index 0000000..3e9c0ed
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/text_element_with_formal_content.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/figures/theories_hierarchy.png b/examples/scholarly_paper/2022-phd-poster/document/figures/theories_hierarchy.png
new file mode 100644
index 0000000..baf3842
Binary files /dev/null and b/examples/scholarly_paper/2022-phd-poster/document/figures/theories_hierarchy.png differ
diff --git a/examples/scholarly_paper/2022-phd-poster/document/isadof.cfg b/examples/scholarly_paper/2022-phd-poster/document/isadof.cfg
new file mode 100644
index 0000000..1177eac
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/document/isadof.cfg
@@ -0,0 +1,2 @@
+Template: 2022-phd-poster
+Ontology: scholarly_paper
diff --git a/examples/scholarly_paper/2022-phd-poster/document/lstisadof.sty b/examples/scholarly_paper/2022-phd-poster/document/lstisadof.sty
new file mode 100755
index 0000000..e6f7e22
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/document/lstisadof.sty
@@ -0,0 +1,195 @@
+%% Copyright (C) 2018 The University of Sheffield
+%%               2018 The University of Paris-Saclay
+%%               2019 The University of Exeter
+%%
+%% License:
+%%   This program can be redistributed and/or modified under the terms
+%%   of the LaTeX Project Public License Distributed from CTAN
+%%   archives in directory macros/latex/base/lppl.txt; either
+%%   version 1.3c of the License, or (at your option) any later version.
+%%   OR
+%%   The 2-clause BSD-style license.
+%%
+%%   SPDX-License-Identifier: LPPL-1.3c+ OR BSD-2-Clause
+\usepackage{listings}
+\usepackage{listingsutf8}
+\usepackage{tikz}
+\usepackage[many]{tcolorbox}
+\tcbuselibrary{listings}
+\tcbuselibrary{skins}
+\usepackage{xstring}
+
+\definecolor{OliveGreen}    {cmyk}{0.64,0,0.95,0.40}
+\definecolor{BrickRed}      {cmyk}{0,0.89,0.94,0.28}
+\definecolor{Blue}          {cmyk}{1,1,0,0}
+\definecolor{CornflowerBlue}{cmyk}{0.65,0.13,0,0}
+
+%%%\lst@BeginAspect[keywords]{isar}
+\gdef\lst@tagtypes{s}
+\gdef\lst@TagKey#1#2{%
+    \lst@Delim\lst@tagstyle #2\relax
+        {Tag}\lst@tagtypes #1%
+                     {\lst@BeginTag\lst@EndTag}%
+        \@@end\@empty{}}
+\lst@Key{tag}\relax{\lst@TagKey\@empty{#1}}
+\lst@Key{tagstyle}{}{\def\lst@tagstyle{#1}}
+\lst@AddToHook{EmptyStyle}{\let\lst@tagstyle\@empty}
+\gdef\lst@BeginTag{%
+    \lst@DelimOpen
+        \lst@ifextags\else
+        {\let\lst@ifkeywords\iftrue
+         \lst@ifmarkfirstintag \lst@firstintagtrue \fi}}
+\lst@AddToHookExe{ExcludeDelims}{\let\lst@ifextags\iffalse}
+\gdef\lst@EndTag{\lst@DelimClose\lst@ifextags\else}
+\lst@Key{usekeywordsintag}t[t]{\lstKV@SetIf{#1}\lst@ifusekeysintag}
+\lst@Key{markfirstintag}f[t]{\lstKV@SetIf{#1}\lst@ifmarkfirstintag}
+\gdef\lst@firstintagtrue{\global\let\lst@iffirstintag\iftrue}
+\global\let\lst@iffirstintag\iffalse
+ \lst@AddToHook{PostOutput}{\lst@tagresetfirst}
+ \lst@AddToHook{Output}
+     {\gdef\lst@tagresetfirst{\global\let\lst@iffirstintag\iffalse}}
+ \lst@AddToHook{OutputOther}{\gdef\lst@tagresetfirst{}}
+\lst@AddToHook{Output}
+    {\ifnum\lst@mode=\lst@tagmode
+         \lst@iffirstintag \let\lst@thestyle\lst@gkeywords@sty \fi
+         \lst@ifusekeysintag\else \let\lst@thestyle\lst@gkeywords@sty\fi
+     \fi}
+\lst@NewMode\lst@tagmode
+\gdef\lst@Tag@s#1#2\@empty#3#4#5{%
+    \lst@CArg #1\relax\lst@DefDelimB {}{}%
+        {\ifnum\lst@mode=\lst@tagmode \expandafter\@gobblethree \fi}%
+        #3\lst@tagmode{#5}%
+    \lst@CArg #2\relax\lst@DefDelimE {}{}{}#4\lst@tagmode}%
+\gdef\lst@BeginCDATA#1\@empty{%
+    \lst@TrackNewLines \lst@PrintToken
+    \lst@EnterMode\lst@GPmode{}\let\lst@ifmode\iffalse
+    \lst@mode\lst@tagmode #1\lst@mode\lst@GPmode\relax\lst@modetrue}
+%%\lst@EndAspect
+
+
+
+% \gdef\lst@BeginTag{%
+%     \lst@DelimOpen
+%     \lst@ifextags\else
+%         {\let\lst@ifkeywords\iftrue
+%          \lst@ifmarkfirstintag\lst@firstintagtrue\fi\color{green}}}
+% \gdef\lst@EndTag{\lst@DelimClose\lst@ifextags\else\color{green}}
+
+\def\beginlstdelim#1#2#3%
+{%
+    \def\endlstdelim{\texttt{\textbf{\color{black!60}#2}}\egroup}%
+    \ttfamily\textbf{\color{black!60}#1}\bgroup\rmfamily\color{#3}\aftergroup\endlstdelim%
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%% <isar>
+\providecolor{isar}{named}{gray}
+%\renewcommand{\isacommand}[1]{\textcolor{OliveGreen!60}{\ttfamily\bfseries #1}}
+\newcommand{\inlineisarbox}[1]{#1}
+\NewTColorBox[]{isarbox}{}{
+     ,boxrule=0pt
+     ,boxsep=0pt
+     ,colback=white!90!isar
+     ,enhanced jigsaw
+     ,borderline west={2pt}{0pt}{isar!60!black}
+     ,sharp corners
+     ,before skip balanced=0.5\baselineskip plus 2pt
+     % ,before skip=10pt
+     % ,after skip=10pt
+     ,enlarge top by=0mm
+     ,enhanced
+     ,overlay={\node[draw,fill=isar!60!black,xshift=0pt,anchor=north
+       east,font=\bfseries\footnotesize\color{white}]
+                at (frame.north east) {Isabelle code};}
+}
+%% </isar>
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\newcommand{\subscr}[1]{\ensuremath{_{\mbox{#1}}}}
+\newcommand{\supscr}[1]{\ensuremath{^{\mbox{#1}}}}
+\lstdefinestyle{ISAR}{%
+  language=%
+  ,basicstyle=\ttfamily%
+  ,showspaces=false%
+  ,showlines=false%
+  ,columns=flexible%
+  ,morecomment=[s]{(*}{*)}%
+  % ,moredelim=*[s][\rmfamily]{\{*}{*\}}%
+  ,moredelim = **[is][\beginlstdelim{\{*}{*\}}{black}]{\{*}{*\}}
+  ,showstringspaces=false%
+  ,moredelim=*[is][\supscr]{\\<^bsup>}{\\<^esup>}%
+  ,literate={%
+    {...}{\,\ldots\,}3%
+    {\\<Open>}{\ensuremath{\isacartoucheopen}}1%
+    {\\at}{@}1%
+    {\\<Close>}{\ensuremath{\isacartoucheclose}}1%
+    {\\<Gamma>}{\ensuremath{\Gamma}}1%
+    {\\<times>}{\ensuremath{\times}}1%
+    {\\<rbrakk>}{\ensuremath{\mathclose{\rbrack\mkern-3mu\rbrack}}}1%
+    {\\<rbrace>}{\ensuremath{\mathclose{\mid\mkern-4.5mu\rbrace}}}1%
+    {\\<lbrakk>}{\ensuremath{\mathopen{\lbrack\mkern-3mu\lbrack}}}1%
+    {\\<lbrace>}{\ensuremath{\mathopen{\lbrace\mkern-4.5mu\mid}}}1%
+    {\\<Rightarrow>}{\ensuremath{\Rightarrow}}1%
+    {\{*}{\raise.3ex\hbox{$\scriptscriptstyle\langle$}}1%
+    {*\}}{\raise.3ex\hbox{$\scriptscriptstyle\rangle$}}1%
+  }%
+  % % Defining "tags" (text-antiquotations) based on 1-keywords
+   ,tag=**[s]{@\{}{\}}%
+   ,tagstyle=\color{CornflowerBlue}%
+   ,markfirstintag=true%
+   ,keywordstyle=\bfseries%
+   ,keywords={}
+   % Defining 2-keywords
+   ,keywordstyle=[2]{\color{Blue!60}\bfseries}%
+   ,alsoletter={*,-}
+   ,morekeywords=[2]{theory, begin, end, ML,section,subsection,paragraph,chapter,text}%
+   %,moredelim=[s][\textit]{<}{>}
+   % Defining 3-keywords
+   ,keywordstyle=[3]{\color{OliveGreen!60}\bfseries}%
+   ,morekeywords=[3]{doc_class,declare_reference,update_instance*,
+     open_monitor*, close_monitor*, figure*, title*, subtitle*,declare_reference*,section*,text*}%
+   % Defining 4-keywords
+   ,keywordstyle=[4]{\color{black!60}\bfseries}%
+   ,morekeywords=[4]{where, imports}%
+   % Defining 5-keywords
+   ,keywordstyle=[5]{\color{BrickRed!70}\bfseries}%
+   ,morekeywords=[5]{datatype, typedecl, consts, theorem}%
+   % Defining 6-keywords
+   ,keywordstyle=[6]{\itshape}%
+   ,morekeywords=[6]{meta-args, ref, expr, class_id}%
+  % 
+}%
+%% 
+\lstnewenvironment{isar}[1][]{\lstset{style=ISAR,
+    backgroundcolor=\color{black!2},
+    frame=lines,
+    mathescape=true,
+    basicstyle=\footnotesize\ttfamily,#1}}{}
+%%% 
+\def\inlineisar{\lstinline[style=ISAR,breaklines=true,mathescape,breakatwhitespace=true]}
+
+\lstnewenvironment{out}[1][]{\lstset{
+    backgroundcolor=\color{green!2},
+    frame=lines,mathescape,breakatwhitespace=true
+    ,columns=flexible%
+    ,basicstyle=\footnotesize\rmfamily,#1}}{}
+
+
+%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%
+\lstloadlanguages{ML}
+\lstdefinestyle{sml}{basicstyle=\ttfamily,%
+                     commentstyle=\itshape,%
+                     keywordstyle=\bfseries\color{CornflowerBlue},%
+                     ndkeywordstyle=\color{red},%
+                     language=ML,
+                      ,keywordstyle=[6]{\itshape}%
+                      ,morekeywords=[6]{args_type}%
+                    }%
+
+\lstnewenvironment{sml}[1][]{\lstset{style=sml,
+    backgroundcolor=\color{Blue!4},
+    frame=lines,
+    basicstyle=\footnotesize\ttfamily,#1}}{}
+%%% 
+\def\inlinesml{\lstinline[style=sml,breaklines=true,mathescape,breakatwhitespace=true]}
diff --git a/examples/scholarly_paper/2022-phd-poster/document/preamble.tex b/examples/scholarly_paper/2022-phd-poster/document/preamble.tex
new file mode 100644
index 0000000..07862c7
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/document/preamble.tex
@@ -0,0 +1,45 @@
+%% This is a placeholder for user-specific configuration and packages. 
+
+\usepackage{stmaryrd}
+\IfFileExists{beramono.sty}{\usepackage[scaled=0.88]{beramono}}{}%
+\IfFileExists{upquote.sty}{\usepackage{upquote}}{}%
+\usepackage{textcomp}
+\usepackage{xcolor}
+\usepackage{paralist}
+\usepackage{listings}
+\usepackage{lstisadof}
+\usepackage{xspace}
+
+\newcommand{\fixIsarList}{\vspace{-\topsep}\vspace{-\baselineskip}\mbox{}\\[0pt]\noindent}
+
+%\nolinenumbers
+\title{<TITLE>}
+\author{<AUTHOR>}
+%\author{First Author\inst{1}\orcidID{0000-1111-2222-3333}}
+%\author{First Author\inst{1}\orcidID{0000-1111-2222-3333} \and
+%Second Author\inst{2,3}\orcidID{1111-2222-3333-4444}}
+%\institute{Inst1}
+%\institute{ Inst1 \and Inst2 \and Inst3}
+%\titlerunning{Proving Ontology-Relations, Testing Ontology Instances}
+%\author{Idir Ait-Sadoune}
+%  {LMF, CentraleSupélec, Université Paris-Saclay, Paris, France}
+%  {idir.aitsadoune@centralesupelec.fr}
+%  {https://orcid.org/0000-0002-6484-8276}
+%  {}
+%\author{Nicolas Méric}
+%  {LMF, Université Paris-Saclay, Paris, France}
+%  {nicolas.meric@universite-paris-saclay.fr}
+%  {https://orcid.org/0000-0002-0756-7072}
+%  {}
+%\author{Burkhart Wolff}
+%  {LMF, Université Paris-Saclay, Paris, France}
+%  {burkhart.wolff@universite-paris-saclay.fr}
+%  {}
+%  {}
+%\Copyright{Idir Ait-Sadoune, Nicolas Méric, and Burkhart Wolff}
+%\authorrunning{I. Ait-Sadoune, N. Méric and B. Wolff}
+%\keywords{Ontologies, Formal Documents, Formal Development, Isabelle/HOL, Ontology Mapping}
+%\ccsdesc{Computing methodologies~Ontology engineering}
+%\ccsdesc{Information systems~Ontologies}
+%\ccsdesc{Theory of computation~Interactive proof systems}
+%\ccsdesc{Theory of computation~Higher order logic}
diff --git a/examples/scholarly_paper/2022-phd-poster/document/root.bib b/examples/scholarly_paper/2022-phd-poster/document/root.bib
new file mode 100644
index 0000000..16ae4ab
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/document/root.bib
@@ -0,0 +1,11932 @@
+@STRING{pub-springer={Springer} }
+@STRING{pub-springer:adr="" }
+@STRING{s-lncs	= "LNCS" }
+﻿@STRING{pub-ieee= "IEEE" }
+﻿@STRING{pub-ieee:adr= "IEEE" }
+﻿@STRING{pub-acm= "ACM" }
+﻿@STRING{j-cacm= "CACM" }
+﻿@STRING{proc= "" }
+﻿@STRING{pub-elsevier= "Elsevier" }
+﻿@STRING{proc= "" }
+﻿@STRING{proc= "" }
+﻿@STRING{proc= "" }
+﻿@STRING{j-tosem= "" }
+﻿@STRING{pub-acm:adr= "" }
+
+@Manual{	  wenzel:isabelle-isar:2020,
+  title		= {The Isabelle/Isar Reference Manual},
+  author	= {Makarius Wenzel},
+  year		= 2020,
+  note		= {Part of the Isabelle distribution.}
+}
+
+@article{KohlhaseR21,
+  author    = {Michael Kohlhase and
+               Florian Rabe},
+  title     = {Experiences from Exporting Major Proof Assistant Libraries},
+  journal   = {J. Autom. Reason.},
+  volume    = {65},
+  number    = {8},
+  pages     = {1265--1298},
+  year      = {2021},
+  url       = {https://doi.org/10.1007/s10817-021-09604-0},
+  doi       = {10.1007/s10817-021-09604-0},
+  timestamp = {Wed, 03 Nov 2021 08:27:13 +0100},
+  biburl    = {https://dblp.org/rec/journals/jar/KohlhaseR21.bib},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{MendilASMP21,
+  author    = {Isma{\"{\i}}l Mendil and
+               Yamine A{\"{\i}}t-Ameur and
+               Neeraj Kumar Singh and
+               Dominique M{\'{e}}ry and
+               Philippe A. Palanque},
+  title     = {Standard Conformance-by-Construction with Event-B},
+  booktitle = {Formal Methods for Industrial Critical Systems - 26th International
+               Conference, {FMICS}, Paris, France},
+  series    = {LNCS},
+  volume    = {12863},
+  pages     = {126--146},
+  publisher = {Springer},
+  year      = {2021},
+  doi       = {10.1007/978-3-030-85248-1\_8}
+}
+
+@inproceedings{FotsoFLM18,
+  author    = {Steve Jeffrey Tueno Fotso and
+               Marc Frappier and
+               R{\'{e}}gine Laleau and
+               Amel Mammar},
+  title     = {Modeling the Hybrid {ERTMS/ETCS} Level 3 Standard Using a Formal Requirements
+               Engineering Approach},
+  booktitle = {Abstract State Machines, Alloy, B, TLA, VDM, and {Z} - 6th International
+               Conference, {ABZ}, Southampton, UK},
+  series    = {LLNCS},
+  volume    = {10817},
+  pages     = {262--276},
+  publisher = {Springer},
+  year      = {2018},
+  doi       = {10.1007/978-3-319-91271-4\_18}
+}
+
+@MISC{atl,
+   title = {ATL - A model transformation technology},
+   note={\url{https://www.eclipse.org/atl/}},
+   author = {Eclipse Fondation}
+}
+
+@inproceedings{BGPP95,
+  author    = {Yamine A{\"{\i}}t Ameur and
+               Frederic Besnard and
+               Patrick Girard and
+               Guy Pierra and
+               Jean{-}Claude Potier},
+  title     = {Formal Specification and Metaprogramming in the {EXPRESS} Language},
+  booktitle = {SEKE'95, The 7th International Conference on Software Engineering
+               and Knowledge Engineering, June 22-24, 1995, Rockville, Maryland,
+               USA, Proceedings},
+  pages     = {181--188},
+  publisher = {Knowledge Systems Institute},
+  year      = {1995}
+}
+
+@incollection{OWL2014,
+  author    = {Kunal Sengupta and
+               Pascal Hitzler},
+  title     = {Web Ontology Language {(OWL)}},
+  booktitle = {Encyclopedia of Social Network Analysis and Mining},
+  pages     = {2374--2378},
+  year      = {2014},
+  doi       = {10.1007/978-1-4614-6170-8\_113}
+}
+
+@article{protege,
+author = {Musen, Mark A.},
+title = {The Prot\'{e}G\'{e} Project: A Look Back and a Look Forward},
+year = {2015},
+issue_date = {June 2015},
+publisher = {Association for Computing Machinery},
+address = {New York, NY, USA},
+volume = {1},
+number = {4},
+url = {https://doi.org/10.1145/2757001.2757003},
+doi = {10.1145/2757001.2757003},
+journal = {AI Matters},
+month = {jun},
+pages = {4–12},
+numpages = {9}
+}
+
+@article{Nevzorova2014OntoMathPO,
+  title={Onto{Ma}th\textsuperscript{PRO} Ontology: {A} Linked Data Hub for Mathematics},
+  author={Olga Nevzorova and Nikita Zhiltsov and Alexander Kirillovich and Evgeny Konstantinovich Lipachev},
+  journal={ArXiv},
+  pdf = {\url{https://kpfu.ru/staff_files/F_438204284/OntoMathPro_ontology_KESW2014.pdf}},
+  doi = {10.1007/978-3-319-11716-4_9},
+  year={2014},
+  volume={abs/1407.4833}
+}
+
+@InProceedings{10.1007/978-3-030-79876-5_6,
+author="Nipkow, Tobias
+and Ro{\ss}kopf, Simon",
+editor="Platzer, Andr{\'e}
+and Sutcliffe, Geoff",
+title="Isabelle's Metalogic: Formalization and Proof Checker",
+booktitle="Automated Deduction -- CADE 28",
+year="2021",
+publisher="Springer International Publishing",
+address="Cham",
+pages="93--110",
+abstract="Isabelle is a generic theorem prover with a fragment of higher-order logic as a metalogic for defining object logics. Isabelle also provides proof terms. We formalize this metalogic and the language of proof terms in Isabelle/HOL, define an executable (but inefficient) proof term checker and prove its correctness w.r.t. the metalogic. We integrate the proof checker with Isabelle and run it on a range of logics and theories to check the correctness of all the proofs in those theories.",
+isbn="978-3-030-79876-5"
+}
+
+
+@TechReport{Parsia:12:OWO,
+  author      = "Bijan Parsia and Boris Motik and Peter Patel-Schneider",
+  title       = "{OWL} 2 Web Ontology Language Structural Specification and Functional-Style Syntax (Second Edition)",
+  month       = dec,
+  note        = "https://www.w3.org/TR/2012/REC-owl2-syntax-20121211/",
+  year        = "2012",
+  bibsource   = "https://w2.syronex.com/jmr/w3c-biblio",
+  type        = "{W3C} Recommendation",
+  institution = "W3C",
+}
+
+@ARTICLE{1654194,
+  author={Brachman},
+  journal={Computer}, 
+  title={What IS-A Is and Isn't: An Analysis of Taxonomic Links in Semantic Networks}, 
+  year={1983},
+  volume={16},
+  number={10},
+  pages={30-36},
+  doi={10.1109/MC.1983.1654194}}
+
+@TechReport{	  bsi:50128:2014,
+  type		= {Standard},
+  key		= {BS EN 50128:2011},
+  month		= apr,
+  year		= 2014,
+  series	= {British Standards Publication},
+  title		= {BS EN 50128:2011: Railway applications -- Communication,
+		  signalling and processing systems -- Software for railway
+		  control and protecting systems},
+  institution	= {Britisch Standards Institute (BSI)},
+  keywords	= {CENELEC},
+  abstract	= {This European Standard is part of a group of related
+		  standards. The others are EN 50126-1:1999 "Railway
+		  applications -- The specification and demonstration of
+		  Reliability, Availability, Maintainability and Safety
+		  (RAMS) -- Part 1: Basic requirements and generic process --
+		  and EN 50129:2003 "Railway applications -- Communication,
+		  signalling and processing systems -- Safety related
+		  electronic systems for signalling". EN 50126-1 addresses
+		  system issues on the widest scale, while EN 50129 addresses
+		  the approval process for individual systems which can exist
+		  within the overall railway control and protection system.
+		  This European Standard concentrates on the methods which
+		  need to be used in order to provide software which meets
+		  the demands for safety integrity which are placed upon it
+		  by these wider considerations. This European Standard
+		  provides a set of requirements with which the development,
+		  deployment and maintenance of any safety-related software
+		  intended for railway control and protection applications
+		  shall comply. It defines requirements concerning
+		  organisational structure, the relationship between
+		  organisations and division of responsibility involved in
+		  the development, deployment and maintenanceactivities.}
+}
+
+@inproceedings{naraschewski1998object,
+  title={Object-oriented verification based on record subtyping in higher-order logic},
+  author={Naraschewski, Wolfgang and Wenzel, Markus},
+  booktitle={International Conference on Theorem Proving in Higher Order Logics},
+  pages={349--366},
+  year={1998},
+  organization={Springer}
+}
+
+
+@inproceedings{HaftmannN10,
+  author    = {Florian Haftmann and
+               Tobias Nipkow},
+  editor    = {Matthias Blume and
+               Naoki Kobayashi and
+               Germ{\'{a}}n Vidal},
+  title     = {Code Generation via Higher-Order Rewrite Systems},
+  booktitle = {Functional and Logic Programming, 10th International Symposium, {FLOPS}
+               2010, Sendai, Japan, April 19-21, 2010. Proceedings},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {6009},
+  pages     = {103--117},
+  publisher = {Springer},
+  year      = {2010},
+  url       = {https://doi.org/10.1007/978-3-642-12251-4\_9},
+  doi       = {10.1007/978-3-642-12251-4\_9},
+  timestamp = {Wed, 25 Sep 2019 18:04:25 +0200},
+  biburl    = {https://dblp.org/rec/conf/flops/HaftmannN10.bib},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+                    
+@article{AehligHN12,
+  author    = {Klaus Aehlig and
+               Florian Haftmann and
+               Tobias Nipkow},
+  title     = {A compiled implementation of normalisation by evaluation},
+  journal   = {J. Funct. Program.},
+  volume    = {22},
+  number    = {1},
+  pages     = {9--30},
+  year      = {2012},
+  url       = {https://doi.org/10.1017/S0956796812000019},
+  doi       = {10.1017/S0956796812000019},
+  timestamp = {Wed, 25 Sep 2019 17:56:11 +0200},
+  biburl    = {https://dblp.org/rec/journals/jfp/AehligHN12.bib},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@InCollection{	  brucker.ea:isabelledof:2019,
+  abstract	= {DOF is a novel framework for defining ontologies and
+		  enforcing them during document development and evolution. A
+		  major goal of DOF is the integrated development of formal
+		  certification documents (e. g., for Common Criteria or
+		  CENELEC 50128) that require consistency across both formal
+		  and informal arguments.
+
+		  To support a consistent development of formal and informal
+		  parts of a document, we provide Isabelle/DOF, an
+		  implementation of DOF on top of the formal methods
+		  framework Isabelle/HOL. A particular emphasis is put on a
+		  deep integration into Isabelle{\^a}s IDE, which allows for
+		  smooth ontology development as well as immediate
+		  ontological feedback during the editing of a document.
+
+		  In this paper, we give an in-depth presentation of the
+		  design concepts of DOF's Ontology Definition Language
+		  (ODL) and key aspects of the technology of its
+		  implementation. Isabelle/DOF is the first ontology language
+		  supporting machine-checked links between the formal and
+		  informal parts in an LCF-style interactive theorem proving
+		  environment. Sufficiently annotated, large documents can
+		  easily be developed collabo- ratively, while ensuring their
+		  consistency, and the impact of changes (in the formal and
+		  the semi-formal content) is tracked automatically.},
+  keywords	= {Ontology, Formal Document Development, Certification, Isabelle/DOF},
+  location	= {Oslo},
+  author	= {Achim D. Brucker and Burkhart Wolff},
+  booktitle	= {Software Engineering and Formal Methods (SEFM)},
+  language	= {USenglish},
+  url		= {https://www.brucker.ch/bibliography/abstract/brucker.ea-isabelledof-2019},
+  publisher	= {Springer-Verlag},
+  address	= {Heidelberg},
+  series	= {Lecture Notes in Computer Science},
+  number	= {11724},
+  isbn		= {3-540-25109-X},
+  doi		= {10.1007/978-3-030-30446-1_15},
+  editor	= {Peter C. {\"O}lveczky and Gwen Sala{\"u}n},
+  pdf		= {https://www.brucker.ch/bibliography/download/2019/brucker.ea-isabelledof-2019.pdf},
+  title		= {{Isabelle/DOF}: Design and Implementation},
+  classification= {conference},
+  areas		= {formal methods, software},
+  categories	= {isadof},
+  year		= {2019},
+  public	= {yes}
+}
+
+@InCollection{	  brucker.ea:isabelle-ontologies:2018,
+  abstract	= {While Isabelle is mostly known as part of Isabelle/HOL (an
+		  interactive theorem prover), it actually provides a
+		  framework for developing a wide spectrum of applications. A
+		  particular strength of the Isabelle framework is the
+		  combination of text editing, formal verification, and code
+		  generation.
+
+		  Up to now, Isabelle's document preparation system lacks a
+		  mechanism for ensuring the structure of different document
+		  types (as, e.g., required in certification processes) in
+		  general and, in particular, mechanism for linking informal
+		  and formal parts of a document.
+
+		  In this paper, we present Isabelle/DOF, a novel Document
+		  Ontology Framework on top of Isabelle. Isabelle/DOF allows
+		  for conventional typesetting \emph{as well} as formal
+		  development. We show how to model document ontologies
+		  inside Isabelle/DOF, how to use the resulting
+		  meta-information for enforcing a certain document
+		  structure, and discuss ontology-specific IDE support.},
+  keywords	= {Isabelle/Isar, HOL, Ontologies},
+  location	= {Hagenberg, Austria},
+  author	= {Achim D. Brucker and Idir Ait-Sadoune and Paolo Crisafulli
+		  and Burkhart Wolff},
+  booktitle	= {Conference on Intelligent Computer Mathematics (CICM)},
+  language	= {USenglish},
+  publisher	= {Springer-Verlag},
+  address	= {Heidelberg},
+  series	= {Lecture Notes in Computer Science},
+  number	= {11006},
+  url		= {https://www.brucker.ch/bibliography/abstract/brucker.ea-isabelle-ontologies-2018},
+  title		= {Using the {Isabelle} Ontology Framework: Linking the
+		  Formal with the Informal},
+  classification= {conference},
+  areas		= {formal methods, software},
+  categories	= {isadof},
+  public	= {yes},
+  year		= {2018},
+  doi		= {10.1007/978-3-319-96812-4_3},
+  pdf		= {https://www.brucker.ch/bibliography/download/2018/brucker.ea-isabelle-ontologies-2018.pdf}
+}
+
+% $Id: fmde.bib 6539 2010-01-29 10:33:20Z brucker $
+
+@InProceedings{10.1007/978-3-030-30446-1_15,
+author="Brucker, Achim D. and Wolff, Burkhart",
+editor="{\"O}lveczky, Peter Csaba and Sala{\"u}n, Gwen",
+title="Isabelle/DOF: Design and Implementation",
+booktitle="Software Engineering and Formal Methods",
+year="2019",
+publisher="Springer International Publishing",
+address="Cham",
+pages="275--292",
+abstract="DOF is a novel framework for defining ontologies and enforcing them during document 
+development and document evolution. A major goal of DOF is the integrated development of formal 
+certification documents (e. g., for Common Criteria or CENELEC 50128) that require consistency 
+across both formal and informal arguments.",
+isbn="978-3-030-30446-1"
+}
+
+@InProceedings{10.1007/978-3-319-96812-4_3,
+author="Brucker, Achim D. and Ait-Sadoune, Idir and Crisafulli, Paolo and Wolff, Burkhart",
+editor="Rabe, Florian and Farmer, William M. and Passmore, Grant O. and Youssef, Abdou",
+title="Using the Isabelle Ontology Framework",
+booktitle="Intelligent Computer Mathematics",
+year="2018",
+publisher="Springer International Publishing",
+address="Cham",
+pages="23--38",
+abstract="While Isabelle is mostly known as part of Isabelle/HOL (an interactive theorem prover), 
+it actually provides a framework for developing a wide spectrum of applications. A particular 
+strength of the Isabelle framework is the combination of text editing, formal verification, and 
+code generation.",
+isbn="978-3-319-96812-4"
+}
+
+@Misc{w3c:ontologies:2015,
+  title={Ontologies},
+  organisation={W3c},
+  url={https://www.w3.org/standards/semanticweb/ontology},
+  year=2018
+}
+
+@BOOK{boulanger:cenelec-50128:2015,
+  AUTHOR       = "Boulanger, Jean-Louis",
+  TITLE        = "{CENELEC} 50128 and {IEC} 62279 Standards",
+  PUBLISHER    = "Wiley-ISTE",
+  YEAR         = "2015",
+  ADDRESS      = "Boston",
+  NOTE         = "The reference on the standard."
+}
+
+@Booklet{         cc:cc-part3:2006,
+  bibkey        = {cc:cc-part3:2006},
+  key           = {Common Criteria},
+  institution   = {Common Criteria},
+  language      = {USenglish},
+  month         = sep,
+  year          = 2006,
+  public        = {yes},
+  title         = {Common Criteria for Information Technology Security
+                  Evaluation (Version 3.1), {Part} 3: Security assurance
+                  components},
+  note          = {Available as document
+                  \href{http://www.commoncriteriaportal.org/public/files/CCPART3V3.1R1.pdf}
+                  {CCMB-2006-09-003}},
+  number        = {CCMB-2006-09-003},
+  acknowledgement={brucker, 2007-04-24}
+}
+
+
+@article{DBLP:journals/jcs/RoscoeB99,
+  author    = {A. W. Roscoe and
+               Philippa J. Broadfoot},
+  title     = {Proving Security Protocols with Model Checkers by Data Independence
+               Techniques},
+  journal   = {Journal of Computer Security},
+  volume    = {7},
+  number    = {1},
+  pages     = {147--190},
+  year      = {1999}
+}
+
+@InProceedings{Roscoe95,
+author="Roscoe, A. W. and Gardiner, P. H. B. and Goldsmith, M. H.
+and Hulance, J. R. and Jackson, D. M. and Scattergood, J. B.",
+title="Hierarchical compression for model-checking CSP or how to check 1020 dining philosophers for deadlock",
+booktitle="Tools and Algorithms for the Construction and Analysis of Systems",
+year="1995",
+publisher="Springer Berlin Heidelberg",
+address="Berlin, Heidelberg",
+pages="133--152",
+isbn="978-3-540-48509-4"
+}
+
+@InProceedings{	  zhang.ea:dynamic:2003,
+  author	= {Guangsen Zhang and Manish Parashar},
+  title		= {Dynamic Context-aware Access Control for Grid
+		  Applications},
+  booktitle	= {GRID '03: Proceedings of the Fourth International Workshop
+		  on Grid Computing},
+  year		= 2003,
+  pages		= 101,
+  address	= {Washington, DC, USA},
+  publisher	= pub-ieee,
+  isbn		= {0-7695-2026-X},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@inproceedings{DBLP:conf/concur/IsobeR06,
+  author    = {Yoshinao Isobe and
+               Markus Roggenbach},
+  title     = {A Complete Axiomatic Semantics for the {CSP} Stable-Failures Model},
+  booktitle = {{CONCUR} 2006 - Concurrency Theory, 17th International Conference,
+               Bonn, Germany, August 27-30, 2006},
+  pages     = {158--172},
+  year      = {2006}
+}
+
+
+@article{Security_Protocol_Refinement-AFP,
+  author  = {Christoph Sprenger and Ivano Somaini},
+  title   = {Developing Security Protocols by Refinement},
+  journal = {Archive of Formal Proofs},
+  month   = may,
+  year    = 2017,
+  note    = {\url{http://isa-afp.org/entries/Security_Protocol_Refinement.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+@article{Splay_Tree-AFP,
+  author  = {Tobias Nipkow},
+  title   = {Splay Tree},
+  journal = {Archive of Formal Proofs},
+  month   = aug,
+  year    = 2014,
+  note    = {\url{http://isa-afp.org/entries/Splay_Tree.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+@article{CakeML-AFP,
+  author  = {Lars Hupel and Yu Zhang},
+  title   = {CakeML},
+  journal = {Archive of Formal Proofs},
+  month   = mar,
+  year    = 2018,
+  note    = {\url{http://isa-afp.org/entries/CakeML.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+@Article{	  brucker.ea:featherweight:2014,
+  author	= {Achim D. Brucker and Fr{\'e}d{\'e}ric Tuong and Burkhart Wolff},
+  title		= {{Featherweight} {OCL}: A Proposal for a Machine-Checked Formal Semantics for {OCL} 2.5},
+  journal	= {Archive of Formal Proofs},
+  month		= jan,
+  year		= 2014,
+  note		= {\url{http://www.isa-afp.org/entries/Featherweight_OCL.shtml}, Formal proof development},
+  issn		= {2150-914x},
+  public	= {yes},
+  classification= {formal},
+  categories	= {holocl},
+  pdf		= {http://www.brucker.ch/bibliography/download/2014/brucker.ea-featherweight-2014.pdf},
+  filelabel	= {Outline},
+  file		= {http://www.brucker.ch/bibliography/download/2014/brucker.ea-featherweight-outline-2014.pdf},
+  areas		= {formal methods, software},
+  url		= {http://www.brucker.ch/bibliography/abstract/brucker.ea-featherweight-2014}
+}
+
+@Article{	  brucker.ea:afp-core-dom:2018,
+  author	= {Achim D. Brucker and Michael Herzberg},
+  title		= {The {Core} {DOM}},
+  journal	= {Archive of Formal Proofs},
+  month		= dec,
+  year		= 2018,
+  date		= {2018-12-26},
+  note		= {\url{http://www.isa-afp.org/entries/Core_DOM.html}, Formal proof development},
+  issn		= {2150-914x},
+  abstract	= {In this AFP entry, we formalize the core of the Document Object Model (DOM). At its core, the DOM
+		  defines a tree-like data structure for representing documents in general and HTML documents in
+		  particular. It is the heart of any modern web browser. Formalizing the key concepts of the DOM is a
+		  prerequisite for the formal reasoning over client-side JavaScript programs and for the analysis of
+		  security concepts in modern web browsers. We present a formalization of the core DOM, with focus on
+		  the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to
+		  verify the functional correctness of the most important functions defined in the DOM standard.
+		  Moreover, our formalization is 1) extensible, i.e., can be extended without the need of re-proving
+		  already proven properties and 2) executable, i.e., we can generate executable code from our
+		  specification.},
+  public	= {yes},
+  classification= {formal},
+  categories	= {websecurity},
+  pdf		= {http://www.brucker.ch/bibliography/download/2018/brucker.ea-afp-core-dom-2018.pdf},
+  filelabel	= {Outline},
+  file		= {http://www.brucker.ch/bibliography/download/2018/brucker.ea-afp-core-dom-outline-2018.pdf},
+  areas		= {formal methods, security, software engineering},
+  url		= {http://www.brucker.ch/bibliography/abstract/brucker.ea-afp-core-dom-2018}
+}
+@article{SPARCv8-AFP,
+  author  = {Zhe Hou and David Sanan and Alwen Tiu and Yang Liu},
+  title   = {A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor},
+  journal = {Archive of Formal Proofs},
+  month   = oct,
+  year    = 2016,
+  note    = {\url{http://isa-afp.org/entries/SPARCv8.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
+@Article{	  verbeek.ea:formal:2014,
+  author	= {Freek Verbeek and Sergey Tverdyshev and Oto Havle and
+		  Holger Blasum and Bruno Langenstein and Werner Stephan and
+		  Yakoub Nemouchi and Abderrahmane Feliachi and Burkhart
+		  Wolff and Julien Schmaltz},
+  title		= {Formal Specification of a Generic Separation Kernel},
+  journal	= {Archive of Formal Proofs},
+  month		= jul,
+  year		= 2014,
+  note		= {\url{http://isa-afp.org/entries/CISC-Kernel.html}, Formal
+		  proof development},
+  issn		= {2150-914x}
+}
+@Article{	  brucker.ea:upf-firewall:2017,
+  author	= {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
+  title		= {Formal Network Models and Their Application to Firewall Policies},
+  journal	= {Archive of Formal Proofs},
+  month		= jan,
+  year		= 2017,
+  date		= {2017-01-08},
+  note		= {\url{http://www.isa-afp.org/entries/UPF_Firewall.shtml}, Formal proof development},
+  issn		= {2150-914x},
+  public	= {yes},
+  classification= {formal},
+  categories	= {holtestgen},
+  pdf		= {http://www.brucker.ch/bibliography/download/2017/brucker.ea-upf-firewall-2017.pdf},
+  filelabel	= {Outline},
+  file		= {http://www.brucker.ch/bibliography/download/2017/brucker.ea-upf-firewall-outline-2017.pdf},
+  areas		= {formal methods, security},
+  url		= {http://www.brucker.ch/bibliography/abstract/brucker.ea-upf-firewall-2017}
+}
+
+@Article{	  klein.ea:comprehensive:2014,
+  author	= {Gerwin Klein and June Andronick and Kevin Elphinstone and
+		  Toby C. Murray and Thomas Sewell and Rafal Kolanski and
+		  Gernot Heiser},
+  title		= {Comprehensive formal verification of an {OS} microkernel},
+  journal	= {{ACM} Trans. Comput. Syst.},
+  year		= 2014,
+  volume	= 32,
+  number	= 1,
+  pages		= {2:1--2:70},
+  doi		= {10.1145/2560537}
+}
+
+@InProceedings{10.1007/978-3-540-76298-0_52,
+author="Auer, S{\"o}ren
+and Bizer, Christian
+and Kobilarov, Georgi
+and Lehmann, Jens
+and Cyganiak, Richard
+and Ives, Zachary",
+editor="Aberer, Karl
+and Choi, Key-Sun
+and Noy, Natasha
+and Allemang, Dean
+and Lee, Kyung-Il
+and Nixon, Lyndon
+and Golbeck, Jennifer
+and Mika, Peter
+and Maynard, Diana
+and Mizoguchi, Riichiro
+and Schreiber, Guus
+and Cudr{\'e}-Mauroux, Philippe",
+title="{DB}pedia: A Nucleus for a Web of Open Data",
+booktitle="The Semantic Web",
+year="2007",
+publisher="Springer Berlin Heidelberg",
+address="Berlin, Heidelberg",
+pages="722--735",
+abstract="DBpedia is a community effort to extract structured information from Wikipedia and to make this information available on the Web. DBpedia allows you to ask sophisticated queries against datasets derived from Wikipedia and to link other datasets on the Web to Wikipedia data. We describe the extraction of the DBpedia datasets, and how the resulting information is published on the Web for human- and machine-consumption. We describe some emerging applications from the DBpedia community and show how website authors can facilitate DBpedia content within their sites. Finally, we present the current status of interlinking DBpedia with other open datasets on the Web and outline how DBpedia could serve as a nucleus for an emerging Web of open data.",
+isbn="978-3-540-76298-0"
+}
+
+
+
+@InProceedings{	  thomas:role-based:1996,
+  author	= {Roshan Thomas},
+  title		= {Role-based access control and distributed object-based
+		  enterprise computing},
+  booktitle	= {RBAC '95: Proceedings of the first ACM Workshop on
+		  Role-based access control},
+  year		= 1996,
+  pages		= 21,
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {0-89791-759-6},
+  location	= {Gaithersburg, Maryland, United States},
+  doi		= {10.1145/270152.270194},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  harrison.ea:protection:1976,
+  author	= {Michael A. Harrison and Walter L. Ruzzo and Jeffrey D.
+		  Ullman},
+  title		= {Protection in operating systems},
+  journal	= j-cacm,
+  year		= 1976,
+  volume	= 19,
+  number	= 8,
+  pages		= {461--471},
+  issn		= {0001-0782},
+  doi		= {10.1145/360303.360333},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  hafner.ea:modeling:2007,
+  author	= {Michael Hafner and Mukhtiar Memon and Muhammad Alam},
+  title		= {Modeling and Enforcing Advanced Access Control Policies in
+		  Healthcare Systems with \textsc{Sectet}},
+  booktitle	= {MoDELS Workshops},
+  year		= 2007,
+  pages		= {132--144},
+  doi		= {10.1007/978-3-540-69073-3_15},
+  crossref	= {giese:models:2007}
+}
+
+@Proceedings{	  giese:models:2007,
+  editor	= {Holger Giese},
+  title		= {Models in Software Engineering, Workshops and Symposia at
+		  MoDELS 2007, Nashville, TN, USA, September 30 - October 5,
+		  2007, Reports and Revised Selected Papers},
+  booktitle	= {MoDELS Workshops},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5002,
+  year		= 2008,
+  isbn		= {978-3-540-69069-6}
+}
+
+@InProceedings{	  hu.ea:dynamic:2004,
+  author	= {Junzhe Hu and Alfred C. Weaver},
+  title		= {Dynamic, Context-Aware Access Control for Distributed
+		  Healthcare Applications},
+  booktitle	= PROC # { the First Workshop on Pervasive Security,
+		  Privacy and Trust (\acs{pspt})},
+  year		= 2004,
+  tags		= {SoKNOS, AccessControl},
+  abstract	= {The rapid worldwide deployment of the Internet and Web is
+		  the enabler of a new generation of e-healthcare
+		  applications, but the provision of a security architecture
+		  that can ensure the privacy and security of sensitive
+		  healthcare data is still an open question. Current
+		  solutions to this problem (mostly built on static RBAC
+		  models) are application-dependent and do not address the
+		  intricate security requirements of healthcare applications.
+		  The healthcare industry requires , on-demand
+		  authentication, extensible context-aware access control,
+		  and dynamic authorization enforcement. With on-demand
+		  authentication, users are authenticated according to their
+		  task-specific situations. Extensible context-aware access
+		  control enables administrators to specify more precise and
+		  fine-grain authorization polices for any application.
+		  Dynamic authorization enforcement makes authorization
+		  decisions based upon runtime parameters rather than simply
+		  the role of the user. In this paper we describe a dynamic,
+		  context-aware security infrastructure that can fulfill the
+		  security requirements of healthcare applications and that
+		  can also be easily adapted to offer security support for
+		  similar enterprise applications.},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@TechReport{	  spc:break-glass:2004,
+  title		= {Break-Glass: An Approach to Granting Emergency Access to
+		  Healthcare Systems},
+  year		= 2004,
+  abstract	= {This white paper discusses a simple yet effective
+		  emergency-access solution, sometimes called
+		  ``break-glass.'' The purpose of break-glass is to allow
+		  operators emergency access to the system in cases where the
+		  normal authentication cannot be successfully completed or
+		  is not working properly. The systems include medical data
+		  acquisition devices as well as information systems which
+		  are collectively referred to as Medical Information Systems
+		  (MedIS).},
+  institution	= {Joint \acs{nema}/\acs{cocir}/\acs{jira} Security and
+		  Privacy Committee (\acs{spc})},
+  type		= {White paper},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  ferreira.ea:how:2006,
+  author	= {A. Ferreira and R. Cruz-Correia and L. Antunes and P.
+		  Farinha and E. Oliveira-Palhares and D.W. Chadwick and A.
+		  Costa-Pereira},
+  title		= {How to Break Access Control in a Controlled Manner},
+  booktitle	= PROC # {\acs{ieee} International Symposium
+		  on Computer-Based Medical Systems (\acs{cbms})},
+  year		= 2006,
+  pages		= {847--854},
+  abstract	= {The electronic medical record (EMR) integrates
+		  heterogeneous information within a healthcare institution
+		  stressing the need for security and access control. The
+		  Biostatistics and Medical Informatics Department from Porto
+		  Faculty of Melsdicine has recently implemented a virtual
+		  EMR (VEMR) in order to integrate patient information and
+		  clinical reports within a university hospital. With more
+		  than 500 medical doctors using the system on a daily basis,
+		  an access control policy and model were implemented.
+		  However, the healthcare environment has unanticipated
+		  situations (i.e. emergency situations) where access to
+		  information is essential. Most traditional policies do not
+		  allow for overriding. A policy that allows for
+		  "Break-The-Glass (BTG)" was implemented in order to
+		  override access control whilst providing for
+		  non-repudiation mechanisms for its usage. The policy was
+		  easily integrated within the model confirming its
+		  modularity and the fact that user intervention in defining
+		  security procedures is crucial to its successful
+		  implementation and use},
+  keywords	= {access control, medical administrative data processing,
+		  security of dataaccess control, clinical reports,
+		  electronic medical record, healthcare institution, patient
+		  information, university hospital},
+  doi		= {10.1109/CBMS.2006.95},
+  issn		= {1063-7125},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  basin.ea:model:2006,
+  author	= {David A. Basin and J\"{u}rgen Doser and Torsten
+		  Lodderstedt},
+  title		= {Model driven security: From {UML} models to access control
+		  infrastructures},
+  journal	= j-tosem,
+  year		= 2006,
+  volume	= 15,
+  number	= 1,
+  pages		= {39--91},
+  issn		= {1049-331X},
+  doi		= {10.1145/1125808.1125810},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  tags		= {ReadingList, SoKNOS, AccessControl, SecureUML, MDS},
+  clearance	= {unclassified},
+  abstract	= {We present a new approach to building secure systems. In
+		  our approach, which we call Model Driven Security,
+		  designers specify system models along with their security
+		  requirements and use tools to automatically generate system
+		  architectures from the models including complete,
+		  configured access control infrastructures. Rather than
+		  fixing one particular modeling language for this process,
+		  we propose a general schema for constructing such languages
+		  that combines languages for modeling systems with languages
+		  for modeling security. We present several instances of this
+		  schema thatcombine (both syntactically and semantically)
+		  different UML modeling languages with a security modeling
+		  language for formalizing access control requirements. From
+		  models in the combined languages, we automatically generate
+		  access control infrastructures for server-based
+		  applications, built from declarative and programmatic
+		  access control mechanisms. The modeling languages and
+		  generation process are semantically well-founded and are
+		  based on an extension of Role-Based Access Control. We have
+		  implemented this approach ina UML-based CASE-tool and
+		  report on experiments.},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  schaad.ea:role-based:2001,
+  author	= {Andreas Schaad and Jonathan Moffett and Jeremy Jacob},
+  title		= {The role-based access control system of a European bank: a
+		  case study and discussion},
+  booktitle	= PROC # { the sixth \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2001,
+  pages		= {3--9},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {1-58113-350-2},
+  location	= {Chantilly, Virginia, United States},
+  doi		= {10.1145/373256.373257},
+  tags		= {ReadingList, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  beznosov:requirements:1998,
+  author	= {Konstantin Beznosov},
+  title		= {Requirements for access control: \acs{us} Healthcare
+		  domain},
+  booktitle	= PROC # { the third \acs{acm} workshop on Role-based
+		  access control (\acs{rbac})},
+  year		= 1998,
+  pages		= 43,
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {1-58113-113-5},
+  location	= {Fairfax, Virginia, United States},
+  doi		= {10.1145/286884.286892},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  etalle.ea:posteriori:2007,
+  author	= {Sandro Etalle and William H. Winsborough},
+  title		= {A posteriori compliance control},
+  booktitle	= PROC # { the 12th \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2007,
+  pages		= {11--20},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {978-1-59593-745-2},
+  location	= {Sophia Antipolis, France},
+  doi		= {10.1145/1266840.1266843},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  lupu.ea:policy:1996,
+  author	= {Emil C. Lupu and Damian A. Marriott and Morris S. Sloman
+		  and Nicholas Yialelis},
+  title		= {A policy based role framework for access control},
+  booktitle	= {RBAC '95: Proceedings of the first ACM Workshop on
+		  Role-based access control},
+  year		= 1996,
+  pages		= 11,
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {0-89791-759-6},
+  location	= {Gaithersburg, Maryland, United States},
+  doi		= {10.1145/270152.270171},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  wainer.ea:dw-rbac:2007,
+  author	= {Jacques Wainer and Akhil Kumar and Paulo Barthelmess},
+  title		= {DW-RBAC: A formal security model of delegation and
+		  revocation in workflow systems},
+  journal	= {Inf. Syst.},
+  year		= 2007,
+  volume	= 32,
+  number	= 3,
+  pages		= {365--384},
+  abstract	= {One reason workflow systems have been criticized as being
+		  inflexible is that they lack support for delegation. This
+		  paper shows how delegation can be introduced in a workflow
+		  system by extending the role-based access control (RBAC)
+		  model. The current RBAC model is a security mechanism to
+		  implement access control in organizations by allowing users
+		  to be assigned to roles and privileges to be associated
+		  with the roles. Thus, users can perform tasks based on the
+		  privileges possessed by their own role or roles they
+		  inherit by virtue of their organizational position.
+		  However, there is no easy way to handle delegations within
+		  this model. This paper tries to treat the issues
+		  surrounding delegation in workflow systems in a
+		  comprehensive way. We show how delegations can be
+		  incorporated into the RBAC model in a simple and
+		  straightforward manner. The new extended model is called
+		  RBAC with delegation in a workflow context (DW-RBAC). It
+		  allows for delegations to be specified from a user to
+		  another user, and later revoked when the delegation is no
+		  longer required. The implications of such specifications
+		  and their subsequent revocations are examined. Several
+		  formal definitions for assertion, acceptance, execution and
+		  revocation are provided, and proofs are given for the
+		  important properties of our delegation framework.},
+  issn		= {0306-4379},
+  doi		= {http://dx.doi.org/10.1016/j.is.2005.11.008},
+  publisher	= pub-elsevier,
+  address	= {Oxford, UK, UK},
+  tags		= {ReadingList, SoKNOS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  bertino.ea:flexible:1997,
+  author	= {Elisa Bertino and Elena Ferrari and Vijayalakshmi Atluri},
+  title		= {A flexible model supporting the specification and
+		  enforcement of role-based authorization in workflow
+		  management systems},
+  booktitle	= {RBAC '97: Proceedings of the second ACM workshop on
+		  Role-based access control},
+  year		= 1997,
+  pages		= {1--12},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {0-89791-985-8},
+  location	= {Fairfax, Virginia, United States},
+  doi		= {10.1145/266741.266746},
+  tags		= {ReadingList, SoKNOS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  bracha.ea:mixin-based:1990,
+  author	= {Gilad Bracha and William Cook},
+  title		= {Mixin-based inheritance},
+  booktitle	= {OOPSLA/ECOOP '90: Proceedings of the European conference
+		  on object-oriented programming on Object-oriented
+		  programming systems, languages, and applications},
+  year		= 1990,
+  pages		= {303--311},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {0-201-52430-X},
+  location	= {Ottawa, Canada},
+  doi		= {10.1145/97945.97982},
+  tags		= {ReadingList, OOP},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  park.ea:towards:2002,
+  author	= {Jaehong Park and Ravi Sandhu},
+  title		= {Towards usage control models: beyond traditional access
+		  control},
+  booktitle	= {SACMAT '02: Proceedings of the seventh ACM symposium on
+		  Access control models and technologies},
+  year		= 2002,
+  pages		= {57--64},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  isbn		= {1-58113-496-7},
+  location	= {Monterey, California, USA},
+  doi		= {10.1145/507711.507722},
+  tags		= {ReadingList, AccessControl, SoKNOS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  graham.ea:associations:1997,
+  author	= {Ian Graham and Julia Bischof and Brian Henderson-Sellers},
+  title		= {Associations Considered a Bad Thing},
+  journal	= {JOOP},
+  year		= 1997,
+  volume	= 9,
+  number	= 9,
+  pages		= {41--48},
+  tags		= {ReadingList, OOP},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  scharli.ea:traits:2003,
+  author	= {Nathanael Sch{\"a}rli and St{\'e}phane Ducasse and Oscar
+		  Nierstrasz and Andrew P. Black},
+  title		= {Traits: Composable Units of Behaviour},
+  booktitle	= {ECOOP},
+  year		= 2003,
+  pages		= {248--274},
+  ee		= {http://springerlink.metapress.com/openurl.asp?genre=article{\&}issn=0302-9743{\&}volume=2743{\&}spage=248}
+		  ,
+  crossref	= {cardelli:ecoop:2003},
+  tags		= {ReadingList, OOP},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  cardelli:ecoop:2003,
+  title		= {ECOOP 2003 - Object-Oriented Programming, 17th European
+		  Conference, Darmstadt, Germany, July 21-25, 2003,
+		  Proceedings},
+  year		= 2003,
+  editor	= {Luca Cardelli},
+  volume	= 2743,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  booktitle	= {ECOOP},
+  isbn		= {3-540-40531-3},
+  tags		= {ReadingList, OOP},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  wolter.ea:modelling:2008,
+  author	= {Christian Wolter and Michael Menzel and Christoph Meinel},
+  title		= {Modelling Security Goals in Business Processes},
+  booktitle	= {Modellierung},
+  year		= 2008,
+  pages		= {197--212},
+  crossref	= {kuhne.ea:modellierung:2008},
+  tags		= {ReadingList, MDS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  kuhne.ea:modellierung:2008,
+  title		= {Modellierung 2008, 12.-14. M{\"a}rz 2008, Berlin},
+  year		= 2008,
+  editor	= {Thomas K{\"u}hne and Wolfgang Reisig and Friedrich
+		  Steimann},
+  volume	= 127,
+  series	= {LNI},
+  publisher	= {GI},
+  booktitle	= {Modellierung},
+  isbn		= {978-3-88579-221-5},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  wolter.ea:deriving:2007,
+  author	= {Christian Wolter and Andreas Schaad and Christoph Meinel},
+  title		= {Deriving XACML Policies from Business Process Models},
+  booktitle	= {WISE Workshops},
+  year		= 2007,
+  pages		= {142--153},
+  ee		= {http://dx.doi.org/10.1007/978-3-540-77010-7_15},
+  crossref	= {weske.ea:web:2007},
+  tags		= {ReadingList, SoKNOS, MDS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  weske.ea:web:2007,
+  title		= {Web Information Systems Engineering - WISE 2007 Workshops,
+		  WISE 2007 International Workshops, Nancy, France, December
+		  3, 2007, Proceedings},
+  year		= 2007,
+  editor	= {Mathias Weske and Mohand-Said Hacid and Claude Godart},
+  volume	= 4832,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  booktitle	= {WISE Workshops},
+  isbn		= {978-3-540-77009-1},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  sandhu.ea:nist:2000,
+  author	= {Ravi S. Sandhu and David F. Ferraiolo and D. Richard
+		  Kuhn},
+  title		= {The NIST model for role-based access control: towards a
+		  unified standard},
+  booktitle	= {ACM Workshop on Role-Based Access Control},
+  year		= 2000,
+  pages		= {47--63},
+  doi		= {10.1145/344287.344301},
+  tags		= {ReadingList, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  ferraiolo.ea:proposed:2001,
+  author	= {David F. Ferraiolo and Ravi S. Sandhu and Serban I.
+		  Gavrila and D. Richard Kuhn and Ramaswamy Chandramouli},
+  title		= {Proposed \acs{nist} standard for role-based access
+		  control},
+  journal	= j-tissec,
+  year		= 2001,
+  pub		= pub-acm,
+  address	= pub-acm:adr,
+  volume	= 4,
+  number	= 3,
+  pages		= {224--274},
+  doi		= {10.1145/501978.501980},
+  tags		= {ReadingList, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  drouineaud.ea:first:2004,
+  author	= {Michael Drouineaud and Maksym Bortin and Paolo Torrini and
+		  Karsten Sohr},
+  title		= {A First Step Towards Formal Verification of Security
+		  Policy Properties for \acs{rbac}},
+  booktitle	= {QSIC},
+  year		= 2004,
+  pages		= {60--67},
+  doi		= {10.1109/QSIC.2004.1357945},
+  crossref	= {anonymous:qsic:2004},
+  tags		= {AccessControl, FormalMethods, TheoremProving},
+  abstract	= {Considering the current expansion of IT-infrastructure the
+		  security of the data inside this infrastructure becomes
+		  increasingly important. Therefore assuring certain security
+		  properties of IT-systems by formal methods is desirable. So
+		  far in security formal methods have mostly been used to
+		  prove properties of security protocols. However, access
+		  control is an indispensable part of security inside a given
+		  IT-system, which has not yet been sufficiently examined
+		  using formal methods. The paper presents an example of a
+		  RBAC security policy having the dual control property. This
+		  is proved in a first-order linear temporal logic (LTL) that
+		  has been embedded in the theorem prover Isabelle/HOL by the
+		  authors. Thus the correctness of the proof is assured by
+		  Isabelle/HOL. The authors consider first-order LTL a good
+		  formalism for expressing RBAC authorisation constraints and
+		  deriving properties from given RBAC security policies.
+		  Furthermore it might also be applied to safety-related
+		  issues in similar manner.},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  anonymous:qsic:2004,
+  title		= {4th International Conference on Quality Software (QSIC
+		  2004), 8-10 September 2004, Braunschweig, Germany},
+  year		= 2004,
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  booktitle	= {QSIC},
+  isbn		= {0-7695-2207-6},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  sohr.ea:specification:2005,
+  author	= {Karsten Sohr and Gail-Joon Ahn and Martin Gogolla and Lars
+		  Migge},
+  title		= {Specification and Validation of Authorisation Constraints
+		  Using UML and OCL},
+  booktitle	= {ESORICS},
+  year		= 2005,
+  pages		= {64--79},
+  ee		= {http://dx.doi.org/10.1007/11555827_5},
+  crossref	= {vimercati.ea:computer:2005},
+  abstracts	= {Abstract. Authorisation constraints can help the policy
+		  architect design and express higher-level security policies
+		  for organisations such as financial institutes or
+		  governmental agencies. Although the importance of
+		  constraints has been addressed in the literature, there
+		  does not exist a systematic way to validate and test
+		  authorisation constraints. In this paper, we attempt to
+		  specify non-temporal constraints and history-based
+		  constraints in Object Constraint Language (OCL) which is a
+		  constraint specification language of Unified Modeling
+		  Language (UML) and describe how we can facilitate the USE
+		  tool to validate and test such policies. We also discuss
+		  the issues of identification of conflicting constraints and
+		  missing constraints. },
+  tags		= {AccessControl, SecureUML},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  vimercati.ea:computer:2005,
+  title		= {Computer Security - ESORICS 2005, 10th European Symposium
+		  on Research in Computer Security, Milan, Italy, September
+		  12-14, 2005, Proceedings},
+  year		= 2005,
+  editor	= {Sabrina De Capitani di Vimercati and Paul F. Syverson and
+		  Dieter Gollmann},
+  volume	= 3679,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  booktitle	= {ESORICS},
+  isbn		= {3-540-28963-1},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  wolter.ea:modeling:2007,
+  author	= {Christian Wolter and Andreas Schaad},
+  title		= {Modeling of Task-Based Authorization Constraints in BPMN},
+  booktitle	= {BPM},
+  year		= 2007,
+  pages		= {64--79},
+  ee		= {http://dx.doi.org/10.1007/978-3-540-75183-0_5},
+  crossref	= {alonso.ea:business:2007},
+  tags		= {ReadingList, SoKNOS, MDS, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  alonso.ea:business:2007,
+  title		= {Business Process Management, 5th International Conference,
+		  BPM 2007, Brisbane, Australia, September 24-28, 2007,
+		  Proceedings},
+  year		= 2007,
+  editor	= {Gustavo Alonso and Peter Dadam and Michael Rosemann},
+  volume	= 4714,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  booktitle	= {BPM},
+  isbn		= {978-3-540-75182-3},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  sohr.ea:analyzing:2008,
+  author	= {Karsten Sohr and Michael Drouineaud and Gail-Joon Ahn and
+		  Martin Gogolla},
+  title		= {Analyzing and Managing Role-Based Access Control
+		  Policies},
+  journal	= j-tkde,
+  year		= 2008,
+  doi		= {10.1109/TKDE.2008.28},
+  abstract	= {Today more and more security-relevant data is stored on
+		  computer systems; security-critical business processes are
+		  mapped to their digital counterparts. This situation
+		  applies to various domains such as health care industry,
+		  digital government, and financial service institutes
+		  requiring that different security requirements must be
+		  fulfilled. Authorisation constraints can help the policy
+		  architect design and express higher-level organisational
+		  rules. Although the importance of authorisation constraints
+		  has been addressed in the literature, there does not exist
+		  a systematic way to verify and validate authorisation
+		  constraints. In this paper, we specify both non-temporal
+		  and history-based authorisation constraints in the Object
+		  Constraint Language (OCL) and first-order linear temporal
+		  logic (LTL). Based upon these specifications, we attempt to
+		  formally verify role-based access control policies with the
+		  help of a theorem prover and to validate policies with the
+		  USE system, a validation tool for OCL constraints. We also
+		  describe an authorisation engine, which supports the
+		  enforcement of authorisation constraints.},
+  tags		= {ReadingList, AccessControl},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  samuel.ea:context-aware:2008,
+  author	= {Samuel, A. and Ghafoor, A. and Bertino, E.},
+  title		= {Context-Aware Adaptation of Access-Control Policies},
+  journal	= {Internet Computing, IEEE},
+  year		= 2008,
+  volume	= 12,
+  number	= 1,
+  pages		= {51--54},
+  abstract	= {Today, public-service delivery mechanisms such as
+		  hospitals, police, and fire departments rely on digital
+		  generation, storage, and analysis of vital information. To
+		  protect critical digital resources, these organizations
+		  employ access-control mechanisms, which define rules under
+		  which authorized users can access the resources they need
+		  to perform organizational tasks. Natural or man-made
+		  disasters pose a unique challenge, whereby previously
+		  defined constraints can potentially debilitate an
+		  organization's ability to act. Here, the authors propose
+		  employing contextual parameters - specifically, activity
+		  context in the form of emergency warnings - to adapt
+		  access-control policies according to a priori
+		  configuration.},
+  keywords	= {authorisation, disasters, organisational
+		  aspectsaccess-control policy, context-aware adaptation,
+		  digital resource protection, natural disaster,
+		  organizational task, public-service delivery mechanism},
+  doi		= {10.1109/MIC.2008.6},
+  issn		= {1089-7801},
+  tags		= {ReadingList, AccessControl, SoKNOS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  adam.ea:secure:2007,
+  author	= {Nabil Adam and Ahmet Kozanoglu and Aabhas Paliwal and
+		  Basit Shafiq},
+  title		= {Secure Information Sharing in a Virtual Multi-Agency Team
+		  Environment},
+  journal	= j-entcs,
+  year		= 2007,
+  volume	= 179,
+  pages		= {97--109},
+  issn		= {1571-0661},
+  abstract	= {This paper proposes a two tier RBAC approach for secure
+		  and selective information sharing among virtual
+		  multi-agency response team (VMART) and allows expansion of
+		  the VMART by admitting new collaborators (government
+		  agencies or NGOs) as need arise. A coordinator Web Service
+		  for each member agency is proposed. The coordinator Web
+		  Service is responsible for authentication, information
+		  dissemination, information acquisition, role creation and
+		  enforcement of predefined access control policies. Secure,
+		  selective and fine-grained information sharing is realized
+		  through the encryption of XML documents according to RBAC
+		  policies defined for the corresponding XML schema.},
+  doi		= {http://dx.doi.org/10.1016/j.entcs.2006.08.034},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr,
+  tags		= {ReadingList, SoKNOS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  alam.ea:framework:2006,
+  author	= {Muhammad Alam and Michael Hafner and Ruth Breu and Stefan
+		  Unterthiner},
+  title		= {A Framework for Modeling Restricted Delegation in Service
+		  Oriented Architecture},
+  booktitle	= {TrustBus},
+  year		= 2006,
+  pages		= {142--151},
+  ee		= {http://dx.doi.org/10.1007/11824633_15},
+  crossref	= {fischer-hubner.ea:trust:2006},
+  tags		= {ReadingList, SoKNOS},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  fischer-hubner.ea:trust:2006,
+  title		= {Trust and Privacy in Digital Business, Third International
+		  Conference, TrustBus 2006, Krakow, Poland, September 4-8,
+		  2006, Proceedings},
+  year		= 2006,
+  editor	= {Simone Fischer-H{\"u}bner and Steven Furnell and Costas
+		  Lambrinoudakis},
+  volume	= 4083,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  booktitle	= {TrustBus},
+  isbn		= {3-540-37750-6},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  el-atawy.ea:policy:2005,
+  author	= {Adel El-Atawy and K. Ibrahim and H. Hamed and Ehab
+		  Al-Shaer},
+  title		= {Policy segmentation for intelligent firewall testing},
+  booktitle	= {NPSec 05},
+  year		= 2005,
+  pages		= {67--72},
+  month		= nov,
+  publisher	= pub-ieee,
+  day		= 6,
+  keywords	= {computer networks, intelligent networks, telecommunication
+		  security, telecommunication traffic intelligent firewall
+		  testing, network security, network traffic, packet
+		  filtering algorithms, policy segmentation},
+  acknowledgement={none},
+  tags		= {ReadingList, Testing, FWTesting},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  el-atawy.ea:automated:2007,
+  author	= {Adel El-Atawy and Taghrid Samak and Zein Wali and Ehab
+		  Al-Shaer and Frank Lin and Christopher Pham and Sheng Li},
+  title		= {An Automated Framework for Validating Firewall Policy
+		  Enforcement},
+  booktitle	= {\acs{policy} '07},
+  year		= 2007,
+  pages		= {151--160},
+  publisher	= pub-ieee,
+  acknowledgement={none},
+  tags		= {ReadingList, Testing, FWTesting},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  bishop.ea:engineering:2006,
+  author	= {Steve Bishop and Matthew Fairbairn and Michael Norrish and
+		  Peter Sewell and Michael Smith and Keith Wansbrough},
+  title		= {Engineering with logic: \acs{hol} specification and
+		  symbolic-evaluation testing for \acs{tcp} implementations},
+  booktitle	= {\acs{popl}},
+  year		= 2006,
+  pages		= {55--66},
+  crossref	= {morrisett.ea:proceedings:2006},
+  acknowledgement={none},
+  tags		= {ReadingList, FWTesting, Testing},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  morrisett.ea:proceedings:2006,
+  title		= {\acs{popl}},
+  year		= 2006,
+  editor	= {J. Gregory Morrisett and Simon L. Peyton Jones},
+  publisher	= pub-acm,
+  booktitle	= {\acs{popl}},
+  adress	= pub-acm:adr,
+  acknowledgement={none},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  marmorstein.ea:firewall:2006,
+  author	= {Robert Marmorstein and Phil Kearns},
+  title		= {Firewall analysis with policy-based host classification},
+  booktitle	= {\acs{lisa}'06},
+  year		= 2006,
+  pages		= {4--4},
+  publisher	= {\acs{usenix} Association},
+  location	= {Washington, \acs{dc}},
+  acknowledgement={none},
+  tags		= {ReadingList, FWTesting, Testing},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  richters.ea:formalizing:1998,
+  abstract	= {We present a formal semantics for the Object Constraint
+		  Language (OCL) which is part of the Unified Modeling
+		  Language (UML) - an emerging standard language and notation
+		  for object-oriented analysis and design. In context of
+		  information systems modeling, UML class diagrams can be
+		  utilized for describing the overall structure, whereas
+		  additional integrity constraints and queries are specified
+		  with OCL expressions. By using OCL, constraints and queries
+		  can be specified in a formal yet comprehensible way.
+		  However, the OCL itself is currently defined only in a
+		  semi-formal way. Thus the semantics of constraints is in
+		  general not precisely defined. Our approach gives precise
+		  meaning to OCL concepts and to some central aspects of UML
+		  class models. A formal semantics facilitates verification,
+		  validation and simulation of models and helps to improve
+		  the quality of models and software designs.},
+  bibkey	= {richters.ea:formalizing:1998},
+  author	= {Mark Richters and Martin Gogolla},
+  title		= {On Formalizing the \acs{uml} Object Constraint Language
+		  \acs{ocl}},
+  pages		= {449--464},
+  doi		= {10.1007/b68220},
+  crossref	= {ling.ea:conceptual:1998},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  ling.ea:conceptual:1998,
+  language	= {USenglish},
+  editor	= {Tok Wang Ling and Sudha Ram and Mong-Li Lee},
+  booktitle	= {Conceptual Modeling---{ER} '98},
+  title		= {Conceptual Modeling---{ER} '98},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1507,
+  doi		= {10.1007/b68220},
+  year		= 1998,
+  isbn		= {978-3-540-65189-5},
+  acknowledgement={brucker, 2007-02-19},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  cook.ea::amsterdam:2002,
+  abstract	= {In November 1998 the authors participated in a two-day
+		  workshop on the Object Constraint Language (OCL) in
+		  Amsterdam. The focus was to clarify issues about the
+		  semantics and the use of OCL, and to discuss useful and
+		  necessary extensions of OCL. Various topics have been
+		  raised and clarified. This manifesto contains the results
+		  of that workshop and the following work on these topics.
+		  Overview of OCL.},
+  author	= {Steve Cook and Anneke Kleppe and Richard Mitchell and
+		  Bernhard Rumpe and Jos Warmer and Alan Wills},
+  title		= {The Amsterdam Manifesto on \acs{ocl}},
+  pages		= {115--149},
+  crossref	= {clark.ea:object:2002},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  gogolla.ea:expressing:2001,
+  author	= {Martin Gogolla and Mark Richters},
+  bibkey	= {gogolla.ea:expressing:2001},
+  abstract	= {The Unified Modeling Language \acs{uml} is a complex
+		  language offering many modeling features. Especially the
+		  description of static structures with class diagrams is
+		  supported by a rich set of primitives. This paper shows how
+		  to transfrom \acs{uml} class diagrams involving cardinality
+		  constraints, qualifiers, association classes, aggregations,
+		  compositions, and generalizations into equivalent \acs{uml}
+		  class diagrams employing only binary associations and
+		  \acs{ocl} constraints. Thus we provide a better
+		  understanding of \acs{uml} features. By reducing more
+		  complex features in terms of basic ones, we suggest an easy
+		  way users can gradually extend the set of \acs{uml}
+		  elements they commonly apply in the modeling process.},
+  title		= {Expressing \acs{uml} Class Diagrams Properties with
+		  \acs{ocl}},
+  pages		= {85--114},
+  crossref	= {clark.ea:object:2002},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  richters.ea:ocl:2001,
+  abstract	= {{The Object Constraint Language \acs{ocl} allows to
+		  formally specify constraints on a \acs{uml} model. We
+		  present a formal syntax and semantics for \acs{ocl} based
+		  on set theory including expressions, invariants and pre-
+		  and postconditions. A formal foundation for \acs{ocl} makes
+		  the meaning of constraints precise and helps to eliminate
+		  ambiguities and inconsistencies. A precise language de
+		  nition is also a prerequisite for implementing CASE tools
+		  providing enhanced support for \acs{uml} models and
+		  \acs{ocl} constraints. We give a survey of some \acs{ocl}
+		  tools and discuss one of the tools in some more detail. The
+		  design and implementation of the USE tool supporting the
+		  validation of \acs{uml} models and \acs{ocl} constraints is
+		  based on the formal approach presented in this paper.}},
+  bibkey	= {richters.ea:ocl:2001},
+  author	= {Mark Richters and Martin Gogolla},
+  title		= {\acs{ocl}: Syntax, Semantics, and Tools.},
+  pages		= {42--68},
+  crossref	= {clark.ea:object:2002},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  hennicker.ea:precise:2002,
+  author	= {Rolf Hennicker and Heinrich Hu{\ss}mann and Michel Bidoit},
+  title		= {On the Precise Meaning of \acs{ocl} Constraints},
+  pages		= {69--84},
+  crossref	= {clark.ea:object:2002},
+  abstract	= {When OCL is applied in concrete examples, many questions
+		  arise about the precise meaning of OCL constraints. The
+		  same kind of difficulties appears when automatic support
+		  tools for OCL are designed. These questions are due to the
+		  lack of a precise semantics of OCL constraints in the
+		  context of a UML model. The aim of this paper is to
+		  contribute to a clarification of several issues, like
+		  interpretation of invariants and pre- and postconditions,
+		  treatment of undefined values, inheritance of constraints,
+		  transformation rules for OCL constraints and computation of
+		  proof obligations. Our study is based on a formal, abstract
+		  semantics of OCL.},
+  bibkey	= {hennicker.ea:precise:2002},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  clark.ea:object:2002,
+  editor	= {Tony Clark and Jos Warmer},
+  booktitle	= {Object Modeling with the \acs{ocl}: The Rationale behind
+		  the Object Constraint Language},
+  title		= {Object Modeling with the \acs{ocl}: The Rationale behind
+		  the Object Constraint Language},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2263,
+  year		= 2002,
+  isbn		= {3-540-43169-1},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  cengarle.ea:formal:2001,
+  author	= {Mar\'{\i}a Victoria Cengarle and Alexander Knapp},
+  title		= {A Formal Semantics for \acs{ocl} 1.4},
+  year		= 2001,
+  abstract	= {The OCL 1.4 specification introduces let-declarations for
+		  adding auxiliary class features in static structures of the
+		  UML. We provide a type inference system and a big-step
+		  operational semantics for the OCL 1.4 that treat UML static
+		  structures and UML object models and accommodate for
+		  additional declarations; the operational semantics
+		  satisfies a subject reduction property with respect to the
+		  type inference system. We also discuss an alternative,
+		  non-operational interpretation of let-declarations as
+		  constraints.},
+  pages		= {118--133},
+  crossref	= {gogolla.ea:uml:2001},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  gogolla.ea:uml:2001,
+  editor	= {Martin Gogolla and Cris Kobryn},
+  booktitle	= {\acs{uml} 2001---The Unified Modeling Language. Modeling
+		  Languages, Concepts, and Tools},
+  title		= {\acs{uml} 2001---The Unified Modeling Language. Modeling
+		  Languages, Concepts, and Tools},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2185,
+  year		= 2001,
+  isbn		= {3-540-42667-1},
+  location	= {Toronto, Canada},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {MDE},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@TechReport{	  balzer.ea:objects:2008,
+  author	= {Stephanie Balzer and Alexandra Burns and Thomas R. Gross},
+  title		= {Objects in Context: An Empirical Study of Object
+		  Relationships},
+  institution	= {\acs{eth} Zurich},
+  year		= 2008,
+  abstract	= {Object collaborations are at the core of all
+		  object-oriented programming, yet current class-based
+		  objectoriented programming languages do not provide an
+		  explicit construct to capture the relationships between
+		  objects. This paper reports on an empirical study that
+		  investigates the occurrence of object collaborations to
+		  assess the need of intrinsic support for relationships in a
+		  programming language. We introduce a categorization of
+		  possible forms of object collaborations and their
+		  corresponding implementation patterns when using a
+		  traditional class-based object-oriented language (Java) and
+		  analyze 25 Java programs (ranging from 4 to 6275 classes)
+		  with the Relationship Detector for Java (RelDJ) to identify
+		  occurrences of these patterns. The empirical results show
+		  that object collaborations are indeed a frequent phenomenon
+		  and reveal that collaborationrelated code does not remain
+		  encapsulated in a single class. These observations strongly
+		  support efforts to define language constructs to express
+		  object relationships: relationships allow the encapsulation
+		  of a frequently occurring phenomenon and increase program
+		  expressiveness. },
+  keywords	= {Relationship-based Programming Languages, First-class
+		  Relationships, Object Collaborations, Java, Bytecode
+		  Analysis},
+  tags		= {ReadingList, OOP},
+  clearance	= {unclassified},
+  timestap	= {2008-05-28},
+  number	= 594
+}
+
+@InProceedings{	  owre.ea:pvs:1996,
+  author	= {Sam Owre and S. Rajan and John M. Rushby and Natarajan
+		  Shankar and Mandayam K. Srivas},
+  title		= {\acs{pvs}: Combining Specification, Proof Checking, and
+		  Model Checking},
+  year		= 1996,
+  bibkey	= {owre.ea:pvs:1996},
+  pages		= {411--414},
+  crossref	= {alur.ea:computer:1996},
+  doi		= {10.1007/3-540-61474-5_91},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {TheoremProving, FormalMethods},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  alur.ea:computer:1996,
+  editor	= {Rajeev Alur and Thomas A. Henzinger},
+  booktitle	= {Computer Aided Verification (\acs{cav})},
+  title		= {Computer Aided Verification (\acs{cav})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1102,
+  year		= 1996,
+  location	= {New Brunswick, \acs{nj}, \acs{usa}},
+  doi		= {10.1007/3-540-61474-5},
+  isbn		= {3-540-61474-5},
+  acknowledgement={brucker, 2007-02-19},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  naraschewski.ea:object-oriented:1998,
+  author	= {Wolfgang Naraschewski and Markus Wenzel},
+  title		= {Object-Oriented Verification Based on Record Subtyping in
+		  Higher-Order Logic.},
+  pages		= {349--366},
+  doi		= {10.1007/BFb0055146},
+  crossref	= {grundy.ea:theorem:1998},
+  abstract	= {We show how extensible records with structural subtyping
+		  can be represented directly in Higher-Order Logic
+		  (\acs{hol}). Exploiting some specific properties of
+		  \acs{hol}, this encoding turns out to be extremely simple.
+		  In particular, structural subtyping is subsumed by naive
+		  parametric polymorphism, while overridable generic
+		  functions may be based on overloading. Taking \acs{hol}
+		  plus extensible records as a starting point, we then set
+		  out to build an environment for object-oriented
+		  specification and verification (HOOL). This framework
+		  offers several well-known concepts like classes, objects,
+		  methods and late-binding. All of this is achieved by very
+		  simple means within \acs{hol}. },
+  keywords	= {Isabelle/\acs{hol}, extensible records,
+		  object-orientation, verification},
+  bibkey	= {naraschewski.ea:object-oriented:1998},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {TheoremProving, FormalMethods},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  grundy.ea:theorem:1998,
+  editor	= {Jim Grundy and Malcolm C. Newey},
+  title		= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  booktitle	= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1479,
+  year		= 1998,
+  doi		= {10.1007/BFb0055125},
+  isbn		= {3-540-64987-5},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  oheimb.ea:hoare:2002,
+  author	= {David von Oheimb and Tobias Nipkow},
+  title		= {Hoare Logic for {NanoJava}: Auxiliary Variables, Side
+		  Effects, and Virtual Methods Revisited},
+  pages		= {89--105},
+  doi		= {10.1007/3-540-45614-7_6},
+  crossref	= {eriksson.ea:fme:2002},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {We define NanoJava, a kernel of Java tailored to the
+		  investigation of Hoare logics. We then introduce a Hoare
+		  logic for this language featuring an elegant new approach
+		  for expressing auxiliary variables: by universal
+		  quantification on the outer logical level. Furthermore, we
+		  give simple means of handling side-effecting expressions
+		  and dynamic binding within method calls. The logic is
+		  proved sound and (relatively) complete using
+		  Isabelle/\acs{hol}.},
+  keywords	= {Languages, Reliability, Theory, Verification},
+  tags		= {OOP, FormalMethods},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Proceedings{	  eriksson.ea:fme:2002,
+  editor	= {Lars-Henrik Eriksson and Peter Alexander Lindsay},
+  booktitle	= {\acs{fme} 2002: Formal Methods---Getting {IT} Right},
+  title		= {\acs{fme} 2002: Formal Methods---Getting {IT} Right},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2391,
+  doi		= {10.1007/3-540-45614-7},
+  year		= 2002,
+  isbn		= {3-540-43928-5},
+  acknowledgement={brucker, 2007-02-19},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@Article{	  rudnicki:obvious:1987,
+  author	= {Piotr Rudnicki},
+  key		= {Rudnicki},
+  journal	= j-ar,
+  title		= {Obvious Inferences},
+  year		= 1987,
+  month		= dec,
+  volume	= 3,
+  doi		= {10.1007/BF00247436},
+  number	= 4,
+  abstract	= {The notion of 'obvious' inference in predicate logic is
+		  discussed from the viewpoint of proof- checker applications
+		  in logic and mathematics education. A class of inferences
+		  in predicate logic is defined and it is proposed to
+		  identify it with the class of 'obvious' logical inferences.
+		  The definition is compared with other approaches. The
+		  algorithm for implementing the "obviousness' decision
+		  procedure follows directly from the definition.},
+  pages		= {383--394},
+  publisher	= pub-springer-netherlands,
+  address	= pub-springer-netherlands:adr,
+  tags		= {noTAG},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  stroustrup:what:1987,
+  author	= {Bjarne Stroustrup},
+  title		= {What is "Object-Oriented Programming?"},
+  booktitle	= {ECOOP},
+  year		= 1987,
+  pages		= {51--70},
+  abstract	= {"Object-Oriented Programming" and "Data ion" have become
+		  very common terms. Unfortunately, few people agree on what
+		  they mean. I will offer informal definitions that appear to
+		  make sense in the context of languages like Ada, C++,
+		  Modula-2, Simula67, and Smalltalk. The general idea is to
+		  equate "support for data abstraction" with the ability to
+		  define and use new types and equate "support for
+		  object-oriented programming" with the ability to express
+		  type hierarchies. Features necessary to support these
+		  programming styles in a general purpose programming
+		  language will be discussed. The presentation centers around
+		  C++ but is not limited to facilities provided by that
+		  language.},
+  crossref	= {bezivin.ea:ecoop87:1987}
+}
+
+@Proceedings{	  bezivin.ea:ecoop87:1987,
+  editor	= {Jean B{\'e}zivin and Jean-Marie Hullot and Pierre Cointe
+		  and Henry Lieberman},
+  title		= {ECOOP'87 European Conference on Object-Oriented
+		  Programming, Paris, France, June 15-17, 1987, Proceedings},
+  booktitle	= {ECOOP},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 276,
+  year		= 1987,
+  isbn		= {3-540-18353-1},
+  location	= {Paris, France}
+}
+
+@Book{		  nipkow.ea:isabelle:2002,
+  author	= {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+  title		= {Isabelle/{HOL}---A Proof Assistant for Higher-Order Logic},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2283,
+  doi		= {10.1007/3-540-45949-9},
+  abstract	= {This book is a self-contained introduction to interactive
+		  proof in higher-order logic (\acs{hol}), using the proof
+		  assistant Isabelle2002. It is a tutorial for potential
+		  users rather than a monograph for researchers. The book has
+		  three parts.
+		  
+		  1. Elementary Techniques shows how to model functional
+		  programs in higher-order logic. Early examples involve
+		  lists and the natural numbers. Most proofs are two steps
+		  long, consisting of induction on a chosen variable followed
+		  by the auto tactic. But even this elementary part covers
+		  such advanced topics as nested and mutual recursion. 2.
+		  Logic and Sets presents a collection of lower-level tactics
+		  that you can use to apply rules selectively. It also
+		  describes Isabelle/\acs{hol}'s treatment of sets, functions
+		  and relations and explains how to define sets inductively.
+		  One of the examples concerns the theory of model checking,
+		  and another is drawn from a classic textbook on formal
+		  languages. 3. Advanced Material describes a variety of
+		  other topics. Among these are the real numbers, records and
+		  overloading. Advanced techniques are described involving
+		  induction and recursion. A whole chapter is devoted to an
+		  extended example: the verification of a security protocol. },
+  year		= 2002,
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {nipkow.ea:isabelle:2002},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-26}
+}
+
+@InProceedings{	  kerber.ea:mechanization:1994,
+  author	= {Manfred Kerber and Michael Kohlhase},
+  title		= {A Mechanization of Strong Kleene Logic for Partial
+		  Functions},
+  pages		= {371--385},
+  crossref	= {bundy:automated:1994},
+  abstract	= {Even though it is not very often admitted, partial
+		  functions do play a significant role in many practical
+		  applications of deduction systems. Kleene has already given
+		  a semantic account of partial functions using three-valued
+		  logic decades ago, but there has not been a satisfactory
+		  mechanization. Recent years have seen a thorough
+		  investigation of the framework of many-valued
+		  truth-functional logics. However, strong Kleene logic,
+		  where quantification is restricted and therefore not
+		  truth-functional, does not fit the framework directly. We
+		  solve this problem by applying recent methods from sorted
+		  logics. This paper presents a resolution calculus that
+		  combines the proper treatment of partial functions with the
+		  efficiency of sorted calculi.},
+  doi		= {10.1007/3-540-58156-1_26},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {kerber.ea:mechanization:1994}
+}
+
+@Proceedings{	  bundy:automated:1994,
+  editor	= {Alan Bundy},
+  booktitle	= {Automated Deduction---\acs{cade}-12},
+  title		= {Automated Deduction---\acs{cade}-12},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  location	= {Nancy, France},
+  volume	= 814,
+  year		= 1994,
+  isbn		= {3-540-58156-1},
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/3-540-58156-1}
+}
+
+@InProceedings{	  hahnle:towards:1991,
+  author	= {Reiner H{\"a}hnle},
+  title		= {Towards an Efficient Tableau Proof Procedure for
+		  Multiple-Valued Logics},
+  pages		= {248--260},
+  crossref	= {borger.ea:computer:1991},
+  doi		= {10.1007/3-540-54487-9_62},
+  abstract	= {One of the obstacles against the use of tableau-based
+		  theorem provers for non-standard logics is the inefficiency
+		  of tableau systems in practical applications, though they
+		  are highly intuitive and extremely flexible from a proof
+		  theoretical point of view. We present a method for
+		  increasing the efficiency of tableau systems in the case of
+		  multiple-valued logics by introducing a generalized notion
+		  of signed formulas and give sound and complete tableau
+		  systems for arbitrary propositional finite-valued logics.},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {hahnle:towards:1991}
+}
+
+@Proceedings{	  borger.ea:computer:1991,
+  editor	= {Egon B{\"o}rger and Hans Kleine B{\"u}ning and Michael M.
+		  Richter and Wolfgang Sch{\"o}nfeld},
+  title		= {Computer Science Logic (\acs{csl})},
+  booktitle	= {Computer Science Logic (\acs{csl})},
+  series	= s-lncs,
+  volume	= 533,
+  year		= 1991,
+  doi		= {10.1007/3-540-54487-9},
+  isbn		= {978-3-540-54487-6},
+  acknowledgement={brucker, 2007-02-19},
+  publisher	= pub-springer,
+  address	= pub-springer:adr
+}
+
+@InProceedings{	  berghofer.ea:inductive:1999,
+  author	= {Stefan Berghofer and Markus Wenzel},
+  title		= {Inductive datatypes in \acs{hol}---lessons learned in
+		  Formal-Logic Engineering},
+  pages		= {19--36},
+  crossref	= {bertot.ea:theorem:1999},
+  bibkey	= {berghofer.ea:inductive:1999},
+  month		= sep,
+  doi		= {10.1007/3-540-48256-3_3},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@Proceedings{	  bertot.ea:theorem:1999,
+  editor	= {Yves Bertot and Gilles Dowek and Andr{\'e} Hirschowitz and
+		  C. Paulin and Laurent Th{\'e}ry},
+  title		= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  booktitle	= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1690,
+  acknowledgement={brucker, 2007-02-19},
+  location	= {Nice, France},
+  year		= 1999,
+  isbn		= {3-540-66463-7}
+}
+
+@Proceedings{	  geuvers.ea:types:2003,
+  editor	= {Herman Geuvers and Freek Wiedijk},
+  title		= {Types for Proofs and Programs (\acs{types})},
+  booktitle	= {Types for Proofs and Programs (\acs{types})},
+  publisher	= pub-springer,
+  location	= {Nijmegen},
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2646,
+  language	= {USenglish},
+  year		= 2003,
+  isbn		= {3-540-14031-X},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@InProceedings{	  angelo.ea:degrees:1994,
+  author	= {Catia M. Angelo and Luc J. M. Claesen and Hugo De Man},
+  title		= {Degrees of Formality in Shallow Embedding Hardware
+		  Description Languages in \acs{hol}},
+  pages		= {89--100},
+  doi		= {10.1007/3-540-57826-9_127},
+  crossref	= {joyce.ea:higher:1994},
+  bibkey	= {angelo.ea:degrees:1994},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@Proceedings{	  joyce.ea:higher:1994,
+  editor	= {Jeffrey J. Joyce and Carl-Johan H. Seger},
+  title		= {Higher Order Logic Theorem Proving and Its Applications
+		  (\acs{hug})},
+  booktitle	= {Higher Order Logic Theorem Proving and Its Applications
+		  (\acs{hug})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  abstract	= {Theorem proving based techniques for formal hardware
+		  verification have been evolving constantly and researchers
+		  are getting able to reason about more complex issues than
+		  it was possible or practically feasible in the past. It is
+		  often the case that a model of a system is built in a
+		  formal logic and then reasoning about this model is carried
+		  out in the logic. Concern is growing on how to consistently
+		  interface a model built in a formal logic with an informal
+		  CAD environment. Researchers have been investigating how to
+		  define the formal semantics of hardware description
+		  languages so that one can formally reason about models
+		  informally dealt with in a CAD environment. At the
+		  University of Cambridge, the embedding of hardware
+		  description languages in a logic is classified in two
+		  categories: deep embedding and shallow embedding. In this
+		  paper we argue that there are degrees of formality in
+		  shallow embedding a language in a logic. The choice of the
+		  degree of formality is a trade-off between the security of
+		  the embedding and the amount and complexity of the proof
+		  effort in the logic. We also argue that the design of a
+		  language could consider this verifiability issue. There are
+		  choices in the design of a language that can make it easier
+		  to improve the degree of formality, without implying
+		  serious drawbacks for the CAD environment.},
+  volume	= 780,
+  year		= 1994,
+  doi		= {10.1007/3-540-57826-9},
+  isbn		= {3-540-57826-9},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@InProceedings{	  huffman.ea:axiomatic:2005,
+  author	= {Brian Huffman and John Matthews and Peter White},
+  title		= {Axiomatic Constructor Classes in {Isabelle}/{HOL}.},
+  pages		= {147--162},
+  year		= {2005},
+  doi		= {10.1007/11541868_10},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {huffman.ea:axiomatic:2005},
+  abstract	= {We have definitionally extended Isabelle/HOLCF to support
+		  axiomatic Haskell-style constructor classes. We have
+		  subsequently defined the functor and monad classes,
+		  together with their laws, and implemented state and
+		  resumption monad transformers as generic constructor class
+		  instances. This is a step towards our goal of giving
+		  modular denotational semantics for concurrent lazy
+		  functional programming languages, such as GHC Haskell.}
+}
+
+@InProceedings{	  marche.ea:reasoning:2005,
+  author	= {Claude March{\'e} and Christine Paulin-Mohring},
+  title		= {Reasoning About {Java} Programs with Aliasing and Frame
+		  Conditions},
+  pages		= {179--194},
+  crossref	= {hurd.ea:theorem:2005},
+  abstract	= {Several tools exist for reasoning about Java programs
+		  annotated with JML specifications. A main issue is to deal
+		  with possible aliasing between objects and to handle
+		  correctly the frame conditions limiting the part of memory
+		  that a method is allowed to modify. Tools designed for
+		  automatic use (like ESC/Java) are not complete and even not
+		  necessarily correct. On the other side, tools which offer a
+		  full modeling of the program require a heavy user
+		  interaction for discharging proof obligations. In this
+		  paper, we present the modeling of Java programs used in the
+		  Krakatoa tool, which generates proof obligations expressed
+		  in a logic language suitable for both automatic and
+		  interactive reasoning. Using the Simplify automatic theorem
+		  prover, we are able to establish automatically more
+		  properties than static analysis tools, with a method which
+		  is guaranteed to be sound, assuming only the correctness of
+		  our logical interpretation of programs and
+		  specifications.},
+  doi		= {10.1007/11541868_12},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {marche.ea:reasoning:2005}
+}
+
+@Proceedings{	  hurd.ea:theorem:2005,
+  editor	= {Joe Hurd and Thomas F. Melham},
+  title		= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  booktitle	= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3603,
+  doi		= {10.1007/11541868},
+  year		= 2005,
+  isbn		= {978-3-540-28372-0},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@InProceedings{	  leino.ea:modular:2005,
+  author	= {K. Rustan M. Leino and Peter M{\"u}ller},
+  title		= {Modular Verification of Static Class Invariants.},
+  pages		= {26--42},
+  doi		= {10.1007/11526841_4},
+  abstract	= {Object invariants describe the consistency of
+		  object-oriented data structures and are central to
+		  reasoning about the correctness of object-oriented
+		  software. But object invariants are not the only
+		  consistency conditions on which a program may depend. The
+		  data in object-oriented programs consists not just of
+		  object fields, but also of static fields, which hold data
+		  that is shared among objects. The consistency of static
+		  fields is described by static class invariants, which are
+		  enforced at the class level. Static class invariants can
+		  also mention instance fields, describing the consistency of
+		  dynamic data structures rooted in static fields. Sometimes
+		  there are even consistency conditions that relate the
+		  instance fields of many or all objects of a class; static
+		  class invariants describe these relations, too, since they
+		  cannot be enforced by any one object in isolation. This
+		  paper presents a systematic way (a methodology) for
+		  specifying and verifying static class invariants in
+		  object-oriented programs. The methodology supports the
+		  three major uses of static fields and invariants in the
+		  Java library. The methodology is amenable to static,
+		  modular verification and is sound.},
+  crossref	= {fitzgerald.ea:fm:2005},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@InProceedings{	  basin.ea:verification:2005,
+  author	= {David A. Basin and Hironobu Kuruma and Kazuo Takaragi and
+		  Burkhart Wolff},
+  abstract	= {We report on a case study in using \holz, an embedding of
+		  Z in higher-order logic, to specify and verify a security
+		  architecture for administering digital signatures. We have
+		  used \holz{} to formalize and combine both data-oriented
+		  and process-oriented architectural views. Afterwards, we
+		  formalized temporal requirements in Z and carried out
+		  verification in higher-order logic. The same architecture
+		  has been previously verified using the SPIN model checker.
+		  Based on this, we provide a detailed comparison of these
+		  two di erent approaches to formalization (infinite state
+		  with rich data types versus finite state) and verification
+		  (theorem proving versus model checking). Contrary to common
+		  belief, our case study suggests that Z is well suited for
+		  temporal reasoning about process models with rich data.
+		  Moreover, our comparison highlights the advantages of this
+		  approach and provides evidence that, in the hands of
+		  experienced users, theorem proving is neither substantially
+		  more time-consuming nor more complex than model checking.},
+  title		= {Verification of a Signature Architecture with \holz},
+  pages		= {269--285},
+  crossref	= {fitzgerald.ea:fm:2005},
+  language	= {USenglish},
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/11526841_19},
+  bibkey	= {basin.ea:verification:2005}
+}
+
+@Proceedings{	  fitzgerald.ea:fm:2005,
+  editor	= {John Fitzgerald and Ian J. Hayes and Andrzej Tarlecki},
+  booktitle	= {{FM} 2005: Formal Methods},
+  title		= {{FM} 2005: Formal Methods},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3582,
+  year		= 2005,
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/11526841},
+  isbn		= {978-3-540-27882-5},
+  location	= {Newcastle, UK}
+}
+
+@phdthesis{Lazic1998ASS,
+  title={A semantic study of data-independence with applications to the 
+         mechanical verification of concurren},
+  author={Ranko S. Lazic},
+  school={University of Oxford},
+  year={1999}
+}
+
+@InProceedings{	  barnett.ea:spec:2004,
+  author	= {Mike Barnett and K. Rustan M. Leino and Wolfram Schulte},
+  abstract	= "Spec# is the latest in a long line of work on programming
+		  languages and systems aimed at improving the development of
+		  correct software. This paper describes the goals and
+		  architecture of the Spec# programming system, consisting of
+		  the object-oriented Spec# programming language, the Spec#
+		  compiler, and the Boogie static program verifier. The
+		  language includes constructs for writing specifications
+		  that capture programmer intentions about how methods and
+		  data are to be used, the compiler emits run-time checks to
+		  enforce these specifications, and the verifier can check
+		  the consistency between a program and its specifications.",
+  language	= {USenglish},
+  title		= {The {\Specsharp} programming system: An overview},
+  pages		= {49--69},
+  crossref	= {barthe.ea:construction:2005},
+  bibkey	= {barnett.ea:spec:2004},
+  doi		= {10.1007/b105030},
+  acknowledgement={brucker, 2007-02-19},
+  month		= may # {~25}
+}
+
+@Proceedings{	  barthe.ea:construction:2005,
+  editor	= {Gilles Barthe and Lilian Burdy and Marieke Huisman and
+		  Jean-Louis Lanet and Traian Muntean},
+  title		= {Construction and Analysis of Safe, Secure, and
+		  Interoperable Smart Devices (\acs{cassis})},
+  booktitle	= {Construction and Analysis of Safe, Secure, and
+		  Interoperable Smart Devices (\acs{cassis})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3362,
+  year		= 2005,
+  isbn		= {978-3-540-24287-1},
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/b105030}
+}
+
+@InProceedings{	  jacobs.ea:java:2004,
+  author	= {Bart Jacobs and Erik Poll},
+  title		= {{Java} Program Verification at {Nijmegen}: Developments
+		  and Perspective.},
+  doi		= {10.1007/b102118},
+  pages		= {134--153},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {This paper presents a historical overview of the work on
+		  Java program verification at the University of Nijmegen
+		  (the Netherlands) over the past six years (1997-2003). It
+		  describes the development and use of the LOOP tool that is
+		  central in this work. Also, it gives a perspective on the
+		  field.},
+  crossref	= {futatsugi.ea:software:2004}
+}
+
+@Proceedings{	  futatsugi.ea:software:2004,
+  editor	= {Kokichi Futatsugi and Fumio Mizoguchi and Naoki Yonezaki},
+  title		= {Software Security---Theories and Systems (\acs{isss})},
+  booktitle	= {Software Security---Theories and Systems (\acs{isss})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  acknowledgement={brucker, 2007-02-19},
+  volume	= 3233,
+  year		= 2004,
+  doi		= {10.1007/b102118},
+  isbn		= {978-3-540-23635-1}
+}
+
+@InProceedings{	  meyer.ea:architecture:2000,
+  author	= {J{\"o}rg Meyer and Arnd Poetzsch-Heffter},
+  title		= {An Architecture for Interactive Program Provers},
+  abstract	= {Formal specification and verification techniques can
+		  improve the quality of programs by enabling the analysis
+		  and proof of semantic program properties. This paper
+		  describes the modular architecture of an interactive
+		  program prover that we are currently developing for a Java
+		  subset. In particular, it discusses the integration of a
+		  programming language-specific prover component with a
+		  general purpose theorem prover.},
+  pages		= {63--77},
+  crossref	= {graf.ea:tools:2000}
+}
+
+@Proceedings{	  graf.ea:tools:2000,
+  editor	= {Susanne Graf and Michael I. Schwartzbach},
+  booktitle	= {Tools and Algorithms for the Construction and Analysis of
+		  Systems (\acs{tacas})},
+  title		= {Tools and Algorithms for the Construction and Analysis of
+		  Systems (\acs{tacas})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1785,
+  year		= 2000,
+  isbn		= {3-540-67282-6}
+}
+
+@InProceedings{	  markovic.ea:ocl:2006,
+  author	= {Sali{\v s}a Markovi{\'c} and Thomas Baar},
+  language	= {USenglish},
+  doi		= {10.1007/11880240_46},
+  acknowledgement={brucker, 2007-02-19},
+  pages		= {661--675},
+  title		= {An {\acs{ocl}} Semantics Specified with {\textsc{qvt}}},
+  crossref	= {nierstrasz.ea:model:2006},
+  abstract	= {Metamodeling became in the last decade a widely accepted
+		  tool to describe the (abstract) syntax of modeling
+		  languages in a concise, but yet precise way. For the
+		  description of the language's semantics, the situation is
+		  less satisfactory and formal semantics definitions are
+		  still seen as a challenge. In this paper, we propose an
+		  approach to specify the semantics of modeling languages in
+		  a graphical way. As an example, we describe the evaluation
+		  semantics of OCL by transformation rules written in the
+		  graphical formalism QVT. We believe that the graphical
+		  format of our OCL semantics has natural advantages with
+		  respect to understandability compared to existing
+		  formalizations of OCL's semantics. Our semantics can also
+		  be seen as a reference implementation of an OCL evaluator,
+		  because the transformation rules can be executed by any QVT
+		  compliant transformation engine.}
+}
+
+@InProceedings{	  pons.ea:ocl-based:2006,
+  author	= {Claudia Pons and Diego Garcia},
+  title		= {An {OCL}-Based Technique for Specifying and Verifying
+		  Refinement-Oriented Transformations in {MDE}},
+  booktitle	= {MoDELS},
+  year		= 2006,
+  pages		= {646--660},
+  doi		= {10.1007/11880240_45},
+  crossref	= {nierstrasz.ea:model:2006}
+}
+
+@InProceedings{	  kosiuczenko:specification:2006,
+  author	= {Piotr Kosiuczenko},
+  title		= {Specification of Invariability in \acs{ocl}},
+  pages		= {676--691},
+  doi		= {10.1007/11880240_47},
+  crossref	= {nierstrasz.ea:model:2006},
+  abstract	= {The paradigm of contractual specification provides a
+		  transparent way of specifying systems. It clearly
+		  distinguishes between client and implementer obligations.
+		  One of the best known languages used for this purpose is
+		  OCL. Nevertheless, OCL does not provide primitives for a
+		  compact specification of what remains unchanged when a
+		  method is executed. In this paper, problems with specifying
+		  invariability are listed and some weaknesses of existing
+		  solutions are pointed out. The question of specifying
+		  invariability in OCL is studied and a simple but expressive
+		  and flexible extension is proposed. It is shown that this
+		  extension has a simple OCL based semantics.}
+}
+
+@Proceedings{	  nierstrasz.ea:model:2006,
+  editor	= {Oscar Nierstrasz and Jon Whittle and David Harel and
+		  Gianna Reggio},
+  title		= {Model Driven Engineering Languages and Systems
+		  (\acs{models})},
+  booktitle	= {Model Driven Engineering Languages and Systems
+		  (\acs{models})},
+  address	= pub-springer:adr,
+  location	= {Genova, Italy},
+  publisher	= pub-springer,
+  series	= s-lncs,
+  acknowledgement={brucker, 2007-02-19},
+  volume	= 4199,
+  year		= 2006,
+  doi		= {10.1007/11880240},
+  isbn		= {978-3-540-45772-5}
+}
+
+@InProceedings{	  syme:proving:1999,
+  author	= {Don Syme},
+  title		= {Proving {Java} Type Soundness},
+  pages		= {83--118},
+  crossref	= {alves-foss:formal:1999},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {This chapter describes a machine checked proof of the type
+		  soundness of a subset of Java (we call this subset
+		  Javatex2html_wrap_inline102). In Chapter 3, a formal
+		  semantics for approximately the same subset was presented
+		  by Drossopoulou and Eisenbach. The work presented here
+		  serves two roles: it complements the written semantics by
+		  correcting and clarifying some details; and it demonstrates
+		  the utility of formal, machine checking when exploring a
+		  large and detailed proof based on operational semantics.},
+  bibkey	= {syme:proving:1999}
+}
+
+@InProceedings{	  flatt.ea:programmers:1999,
+  author	= {Matthew Flatt and Shriram Krishnamurthi and Matthias
+		  Felleisen},
+  title		= {A Programmer's Reduction Semantics for Classes and
+		  Mixins.},
+  doi		= {10.1007/3-540-48737-9_7},
+  pages		= {241--269},
+  crossref	= {alves-foss:formal:1999},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {While class-based object-oriented programming languages
+		  provide a flexible mechanism for re-using and managing
+		  related pieces of code, they typically lack linguistic
+		  facilities for specifying a uniform extension of many
+		  classes with one set of fields and methods. As a result,
+		  programmers are unable to express certain abstractions over
+		  classes. In this paper we develop a model of class-to-class
+		  functions that we refer to as mixins. A mixin function maps
+		  a class to an extended class by adding or overriding fields
+		  and methods. Programming with mixins is similar to
+		  programming with single inheritance classes, but mixins
+		  more directly encourage programming to interfaces. The
+		  paper develops these ideas within the context of Java. The
+		  results are an intuitive model of an essential Java subset;
+		  an extension that explains and models mixins; and type
+		  soundness theorems for these languages.}
+}
+
+@InProceedings{	  drossopoulou.ea:describing:1999,
+  author	= {Sophia Drossopoulou and Susan Eisenbach},
+  title		= {Describing the Semantics of {Java} and Proving Type
+		  Soundness},
+  pages		= {41--82},
+  doi		= {10.1007/3-540-48737-9_2},
+  crossref	= {alves-foss:formal:1999},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {Java combines the experience from the development of
+		  several object oriented languages, such as C++, Smalltalk
+		  and CLOS. The philosophy of the language designers was to
+		  include only features with already known semantics, and to
+		  provide a small and simple language.
+		  
+		  Nevertheless, we feel that the introduction of some new
+		  features in Java, as well as the specific combination of
+		  features, justifies a study of the Java formal semantics.
+		  The use of interfaces, reminiscent of [6,10] is a
+		  simplification of the signatures extension for C++ [4] and
+		  is - to the best of our knowledge - novel. The mechanism
+		  for dynamic method binding is that of C++, but we know of
+		  no formal definition. Java adopts the Smalltalk [15]
+		  approach whereby all object variables are implicitly
+		  pointers.
+		  
+		  Furthermore, although there are a large number of studies
+		  of the semantics of isolated programming language features
+		  or of minimal programming languages [1,31,34] there have
+		  not been many studies of the formal semantics of actual
+		  programming languages. In addition, the interplay of
+		  features which are very well understood in isolation, might
+		  introduce unexpected effects. }
+}
+
+@InProceedings{	  oheimb.ea:machine-checking:1999,
+  author	= {David von Oheimb and Tobias Nipkow},
+  title		= {Machine-Checking the {Java} Specification: Proving
+		  Type-Safety},
+  pages		= {119--156},
+  crossref	= {alves-foss:formal:1999},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {oheimb.ea:machine-checking:1999}
+}
+
+@Proceedings{	  alves-foss:formal:1999,
+  editor	= {Jim Alves-Foss},
+  title		= {Formal Syntax and Semantics of {Java}},
+  booktitle	= {Formal Syntax and Semantics of {Java}},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1523,
+  year		= 1999,
+  isbn		= {3-540-66158-1},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {alves-foss:formal:1999}
+}
+
+@InProceedings{	  smith.ea:encoding:2002,
+  author	= {Graeme Smith and Florian Kamm{\"u}ller and Thomas Santen},
+  title		= {Encoding {Object-Z} in {Isabelle}/{\acs{hol}}.},
+  pages		= {82--99},
+  doi		= {10.1007/3-540-45648-1_5},
+  crossref	= {bert.ea:zb:2002},
+  abstract	= {In this paper, we present a formalization of the reference
+		  semantics of Object-Z in the higher-order logic (HOL)
+		  instantiation of the generic theorem prover Isabelle,
+		  Isabelle/HOL. This formalization has the effect of both
+		  clarifying the semantics and providing the basis for a
+		  theorem prover for Object-Z. The work builds on an earlier
+		  encoding of a value semantics for object-oriented Z in
+		  Isabelle/HOL and a denotational semantics of Object-Z based
+		  on separating the internal and external effects of class
+		  methods.},
+  keywords	= {Object-Z, reference semantics, higher-order logic,
+		  Isabelle},
+  acknowledgement={brucker, 2007-02-19}
+}
+
+@Proceedings{	  bert.ea:zb:2002,
+  editor	= {Didier Bert and Jonathan P. Bowen and Martin C. Henson and
+		  Ken Robinson},
+  title		= {{ZB} 2002: Formal Specification and Development in {Z} and
+		  {B}},
+  booktitle	= {{ZB} 2002: Formal Specification and Development in {Z} and
+		  {B}},
+  location	= {Grenoble, France},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2272,
+  year		= 2002,
+  isbn		= {3-540-43166-7},
+  acknowledgement={brucker, 2007-02-19},
+  bibkey	= {bert.ea:zb:2002}
+}
+
+@InProceedings{	  paulson:formulation:1990,
+  author	= {Lawrence C. Paulson},
+  title		= {A formulation of the simple theory of types (for
+		  {Isabelle})},
+  pages		= {246--274},
+  doi		= {10.1007/3-540-52335-9_58},
+  crossref	= {martin-lof.ea:colog-88:1990},
+  acknowledgement={brucker, 2007-02-19},
+  abstract	= {Simple type theory is formulated for use with the generic
+		  theorem prover Isabelle. This requires explicit type
+		  inference rules. There are function, product, and subset
+		  types, which may be empty. Descriptions (the eta-operator)
+		  introduce the Axiom of Choice. Higher-order logic is
+		  obtained through reflection between formulae and terms of
+		  type bool. Recursive types and functions can be formally
+		  constructed. Isabelle proof procedures are described. The
+		  logic appears suitable for general mathematics as well as
+		  computational problems. }
+}
+
+@Proceedings{	  martin-lof.ea:colog-88:1990,
+  editor	= {Per Martin-L{\"o}f and Grigori Mints},
+  title		= {\acs{colog}-88},
+  booktitle	= {\acs{colog}-88},
+  location	= {Tallinn, USSR},
+  publisher	= pub-springer,
+  acknowledgement={brucker, 2007-02-19},
+  address	= pub-springer:adr,
+  doi		= {10.1007/3-540-52335-9},
+  series	= s-lncs,
+  volume	= 417,
+  year		= 1990,
+  isbn		= {3-540-52335-9}
+}
+
+@InProceedings{	  beckert.ea:dynamic:2006,
+  author	= {Bernhard Beckert and Andr{\'e} Platzer},
+  title		= {Dynamic Logic with Non-rigid Functions.},
+  pages		= {266--280},
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/11814771_23},
+  abstract	= {We introduce a dynamic logic that is enriched by non-rigid
+		  functions, i.e., functions that may change their value from
+		  state to state (during program execution), and we present a
+		  (relatively) complete sequent calculus for this logic. In
+		  conjunction with dynamically typed object enumerators,
+		  non-rigid functions allow to embed notions of
+		  object-orientation in dynamic logic, thereby forming a
+		  basis for verification of object-oriented programs. A
+		  semantical generalisation of substitutions, called state
+		  update, which we add to the logic, constitutes the central
+		  technical device for dealing with object aliasing during
+		  function modification. With these few extensions, our
+		  dynamic logic captures the essential aspects of the complex
+		  verification system KeY and, hence, constitutes a
+		  foundation for object-oriented verification with the
+		  principles of reasoning that underly the successful KeY
+		  case studies.},
+  crossref	= {furbach.ea:automated:2006}
+}
+
+@Proceedings{	  furbach.ea:automated:2006,
+  editor	= {Ulrich Furbach and Natarajan Shankar},
+  doi		= {10.1007/11814771},
+  title		= {Automated Reasoning (\acs{ijcar})},
+  booktitle	= {Automated Reasoning (\acs{ijcar})},
+  location	= {Seattle, WA},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={brucker, 2007-02-19},
+  series	= s-lncs,
+  volume	= 4130,
+  year		= 2006,
+  isbn		= {978-3-540-37187-8}
+}
+
+@InProceedings{	  yatake.ea:implementing:2005,
+  author	= {Kenro Yatake and Toshiaki Aoki and Takuya Katayama},
+  title		= {Implementing Application-Specific Object-Oriented Theories
+		  in {\acs{hol}}},
+  acknowledgement={brucker, 2007-02-19},
+  doi		= {10.1007/11560647_33},
+  pages		= {501--516},
+  abstract	= {This paper presents a theory of Object-Oriented concepts
+		  embedded shallowly in HOL for the verification of OO
+		  analysis models. The theory is application-specific in the
+		  sense that it is automatically constructed depending on the
+		  type information of the application. This allows objects to
+		  have attributes of arbitrary types, making it possible to
+		  verify models using not only basic types but also highly
+		  abstracted types specific to the target domain. The theory
+		  is constructed by definitional extension based on the
+		  operational semantics of a heap memory model, which
+		  guarantees the soundness of the theory. This paper mainly
+		  focuses on the implementation details of the theory.},
+  crossref	= {hung.ea:theoretical:2005}
+}
+
+@Proceedings{	  hung.ea:theoretical:2005,
+  editor	= {Dang Van Hung and Martin Wirsing},
+  title		= {Theoretical Aspects of Computing---\acs{ictac} 2005},
+  booktitle	= {Theoretical Aspects of Computing---\acs{ictac} 2005},
+  location	= {Hanoi, Vietnam},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  doi		= {10.1007/11560647},
+  series	= s-lncs,
+  acknowledgement={brucker, 2007-02-19},
+  volume	= 3722,
+  year		= 2005,
+  isbn		= {3-540-29107-5}
+}
+
+@InProceedings{	  aspinall:proof:2000,
+  author	= {David Aspinall},
+  title		= {{P}roof {G}eneral: A Generic Tool for Proof Development},
+  acknowledgement={brucker, 2007-02-19},
+  pages		= {38--42},
+  crossref	= {graf.ea:tools:2000-b},
+  abstract	= {This note describes Proof General, a tool for developing
+		  machine proofs with an interactive proof assistant.
+		  Interaction is based around a proof script, which is the
+		  target of a proof development. Proof General provides a
+		  powerful user-interface with relatively little effort,
+		  alleviating the need for a proof assistant to provide its
+		  own GUI, and providing a uniform appearance for diverse
+		  proof assistants.
+		  
+		  Proof General has a growing user base and is currently used
+		  for several interactive proof systems, including Coq, LEGO,
+		  and Isabelle. Support for others is on the way. Here we
+		  give a brief overview of what Proof General does and the
+		  philosophy behind it; technical details are available
+		  elsewhere. The program and user documentation are available
+		  on the web at http://www.dcs.ed.ac.uk/home/proofgen.}
+}
+
+@InProceedings{	  beckert.ea:many-valued:1992,
+  author	= {Bernhard Beckert and Stefan Gerberding and Reiner
+		  H{\"a}hnle and Werner Kernig},
+  title		= {The Many-Valued Tableau-Based Theorem Prover {\threeTAP}},
+  acknowledgement={brucker, 2007-02-19},
+  pages		= {758--760},
+  bibkey	= {beckert.ea:many-valued:1992},
+  crossref	= {kapur:automated:1992},
+  doi		= {10.1007/3-540-55602-8_219}
+}
+
+@Proceedings{	  kapur:automated:1992,
+  editor	= {Deepak Kapur},
+  title		= {Automated Deduction---\acs{cade}-11},
+  booktitle	= {Automated Deduction---\acs{cade}-11},
+  location	= {Saratoga Springs, \acs{ny}, \acs{usa}},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  doi		= {10.1007/3-540-55602-8},
+  series	= s-lncs,
+  volume	= 607,
+  year		= 1992,
+  acknowledgement={brucker, 2007-02-19},
+  isbn		= {978-3-540-55602-2}
+}
+
+@Article{	  ahrendt.ea:key:2005,
+  bibkey	= {ahrendt.ea:key:2005},
+  author	= {Wolfgang Ahrendt and Thomas Baar and Bernhard Beckert and
+		  Richard Bubel and Martin Giese and Reiner H\"ahnle and
+		  Wolfram Menzel and Wojciech Mostowski and Andreas Roth and
+		  Steffen Schlager and Peter H. Schmitt},
+  title		= {The {\KeY} Tool},
+  doi		= {10.1007/s10270-004-0058-x},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  journal	= j-sosym,
+  volume	= 4,
+  number	= 1,
+  year		= 2005,
+  pages		= {32--54},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Article{	  cengarle.ea:ocl:2004,
+  journal	= j-sosym,
+  volume	= 3,
+  pages		= {9--30},
+  number	= 1,
+  year		= 2004,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  issn		= {1619-1366},
+  doi		= {10.1007/s10270-003-0035-9},
+  title		= {{\acs{ocl}} 1.4/5 vs. 2.0 Expressions Formal semantics and
+		  expressiveness},
+  author	= {Mar{\`\i}a Victoria Cengarle and Alexander Knapp},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {cengarle.ea:ocl:2004}
+}
+
+@Article{	  toval.ea:emerging:2003,
+  journal	= j-sosym,
+  pages		= {248--261},
+  volume	= 2,
+  number	= 4,
+  year		= 2003,
+  publisher	= pub-springer,
+  doi		= {10.1007/s10270-003-0031-0},
+  address	= pub-springer:adr,
+  issn		= {1619-1366},
+  month		= dec,
+  title		= {Emerging {\acs{ocl}} tools},
+  author	= {Jos{\'e} Ambrosio Toval and V{\`\i}ctor Requena and
+		  Jos{\'e} Luis Fern{\'a}ndez},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {toval.ea:emerging:2003}
+}
+
+@Article{	  bubel.ea:formal:2005,
+  author	= {Richard Bubel and Reiner H\"{a}hnle},
+  title		= {Integration of informal and formal development of
+		  object-oriented safety-critical software.},
+  year		= 2005,
+  journal	= j-sttt,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  issn		= {1433-2779},
+  volume	= 7,
+  number	= 3,
+  language	= {USenglish},
+  doi		= {10.1007/s10009-004-0166-5},
+  pages		= {197--211},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {bubel.ea:formal:2005}
+}
+
+@Proceedings{	  stepney.ea:object:1992,
+  abstract	= {This collection of papers draws together a variety of
+		  approaches for adding OO concepts and structuring
+		  capability to the Z formal specification language. Each
+		  approach is used to specify the same two problems, to allow
+		  a comparison. },
+  editor	= {Susan Stepney and Rosalind Barden and David Cooper},
+  isbn		= {3-540-19778-8},
+  language	= {USenglish},
+  public	= {yes},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= {Workshops in Computing},
+  topic		= {formalism},
+  title		= {Object Orientation in {Z}},
+  year		= 1992,
+  keywords	= {Object Orientation, Z},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {stepney.ea:object:1992}
+}
+
+@InProceedings{	  hamie.ea:reflections:1998,
+  bibkey	= {hamie.ea:reflections:1998},
+  author	= {Ali Hamie and Franco Civello and John Howse and Stuart
+		  Kent and Richard Mitchell},
+  title		= {{Reflections on the Object Constraint Language}},
+  year		= 1998,
+  doi		= {10.1007/b72309},
+  topic		= {formalism},
+  acknowledgement={brucker, 2007-04-23},
+  pages		= {162--172},
+  crossref	= {bezivin.ea:unified:1999},
+  abstract	= {The \acf{ocl}, which forms part of the \acs{uml} set of
+		  modelling notations, is a precise, textual language for
+		  expressing constraints that cannot be shown
+		  diagrammatically in \acs{uml}. This paper reflects on a
+		  number of aspects of the syntax and semantics of the
+		  \acs{ocl}, and makes proposals for clarification or
+		  extension. Specifically, the paper suggests that: the
+		  concept of flattening collections of collections is
+		  unnecessary, state models should be connectable to class
+		  models, defining object creation should be made more
+		  convenient, \acs{ocl} should be based on a 2-valued logic,
+		  set subtraction should be covered more fully, and a "let"
+		  feature should be introduced. }
+}
+
+@Proceedings{	  bezivin.ea:unified:1999,
+  editor	= {Jean B{\'e}zivin and Pierre-Alain Muller},
+  doi		= {10.1007/b72309},
+  booktitle	= {The Unified Modeling Language. \guillemotleft
+		  \acs{uml}\guillemotright'98: Beyond the Notation},
+  title		= {The Unified Modeling Language. \guillemotleft
+		  \acs{uml}\guillemotright'98: Beyond the Notation},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={brucker, 2007-04-23},
+  series	= s-lncs,
+  volume	= 1618,
+  year		= 1999,
+  isbn		= {3-540-66252-9}
+}
+
+@Book{		  guttag.ea:larch:1993,
+  author	= {John V. Guttag and James J. Horning},
+  title		= {{Larch}: Languages and Tools for Formal Specification},
+  publisher	= pub-springer-ny,
+  address	= pub-springer-ny:adr,
+  series	= {Texts and Monographs in Computer Science},
+  year		= 1993,
+  isbn		= {0-387-94006-5},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Article{	  beckert.ea:refinement:2005,
+  title		= {Refinement and Retrenchment for Programming Language Data
+		  Types},
+  author	= {Bernhard Beckert and Steffen Schlager},
+  journal	= j-fac,
+  volume	= 17,
+  number	= 4,
+  acknowledgement={brucker, 2007-04-23},
+  pages		= {423--442},
+  year		= 2005,
+  doi		= {10.1007/s00165-005-0073-x},
+  publisher	= pub-springer,
+  address	= pub-springer:adr
+}
+
+@Article{	  nipkow:winskel:1998,
+  author	= {Tobias Nipkow},
+  title		= {Winskel is (almost) Right: Towards a Mechanized Semantics
+		  Textbook},
+  publisher	= pub-springer,
+  journal	= j-fac,
+  volume	= 10,
+  number	= 2,
+  doi		= {10.1007/s001650050009},
+  pages		= {171--186},
+  abstract	= {We present a formalization of the first 100 pages of
+		  Winskel's textbook `The Formal Semantics of Programming
+		  Languages' in the theorem prover Isabelle/\acs{hol}: 2
+		  operational, 2 denotational, 2 axiomatic semantics, a
+		  verification condition generator, and the necessary
+		  soundness, completeness and equivalence proofs, all for a
+		  simple imperative programming language.},
+  acknowledgement={brucker, 2007-04-23},
+  year		= 1998,
+  bibkey	= {nipkow:winskel:1998}
+}
+
+@InCollection{	  dupuy.ea:using:2000,
+  author	= {Sophie Dupuy and Ang{\`e}s Front-Conte and Christophe
+		  Saint-Marcel},
+  chapter	= 6,
+  title		= {Using \acs{uml} with a Behaviour-Driven Method},
+  page		= {97--112},
+  acknowledgement={brucker, 2007-04-23},
+  crossref	= {frappier.ea:software:2000}
+}
+
+@Book{		  frappier.ea:software:2000,
+  editor	= {Marc Frappier and Henri Habrias},
+  title		= {Software Specification Methods: An Overview Using a Case
+		  Study},
+  acknowledgement={brucker, 2007-04-23},
+  publisher	= pub-springer-london,
+  address	= pub-springer-london:adr,
+  year		= 2000,
+  isbn		= {1-85233-353-7},
+  series	= {Formal Approaches to Computing and Information
+		  Technology}
+}
+
+@InProceedings{	  hamie.ea:interpreting:1998,
+  bibkey	= {hamie.ea:interpreting:1998},
+  author	= {Ali Hamie and John Howse and Stuart Kent},
+  title		= {Interpreting the {Object Constraint Language}},
+  abstract	= {The \acf{ocl}, which forms part of the \acs{uml} 1.1. set
+		  of modelling notations is a precise, textual language for
+		  expressing constraints that cannot be shown in the standard
+		  diagrammatic notation used in \acs{uml}. A semantics for
+		  \acs{ocl} lays the foundation for building CASE tools that
+		  support integrity checking of the whole \acs{uml} models,
+		  not just the component expressed using \acs{ocl}. This
+		  paper provides a semantics for \acs{ocl}, at the same time
+		  providing a semantics for classes, associations, attributes
+		  and states. },
+  pages		= {288--295},
+  ee		= {http://csdl.computer.org/comp/proceedings/apsec/1998/9183/00/91830288abs.htm}
+		  ,
+  doi		= {10.1109/apsec.1998.733731},
+  keywords	= {OCL},
+  acknowledgement={brucker, 2007-04-23},
+  topic		= {formalism},
+  crossref	= {ieee:apsec:1998}
+}
+
+@Proceedings{	  ieee:apsec:1998,
+  bibkey	= {ieee:apsec:1998},
+  booktitle	= PROC # { Asia Pacific Conference in Software
+		  Engineering (\acs{apsec})},
+  title		= PROC # { Asia Pacific Conference in Software
+		  Engineering (\acs{apsec})},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  acknowledgement={brucker, 2007-04-23},
+  year		= 1998,
+  isbn		= {0-8186-9183-2}
+}
+
+@InProceedings{	  mandel.ea:ocl:1999,
+  author	= {Luis Mandel and Mar{\`i}a Victoria Cengarle},
+  bibkey	= {mandel.ea:ocl:1999},
+  language	= {USenglish},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {On the expressive power of {\acs{ocl}}},
+  acknowledgement={brucker, 2007-04-23},
+  timestamp	= 962971498,
+  abstract	= {This paper examines the expressive power of \acs{ocl} in
+		  terms of navigability and computability. First the
+		  expressive power of \acs{ocl} is compared with the
+		  relational calculus; it is showed that \acs{ocl} is not
+		  equivalent to the relational calculus. Then an algorithm
+		  computing the transitive closure of a binary relation
+		  operation that cannot be encoded in the relational calculus
+		  is expressed in \acs{ocl}. Finally the equivalence of
+		  \acs{ocl} with a Turing machine is pondered.},
+  pages		= {854--874},
+  crossref	= {wing.ea:world:1999},
+  ee		= {http://link.springer.de/link/service/series/0558/bibs/1708/17080854.htm}
+		  
+}
+
+@Proceedings{	  wing.ea:world:1999,
+  editor	= {Jeannette M. Wing and Jim Woodcock and Jim Davies},
+  booktitle	= {World Congress on Formal Methods in the Development of
+		  Computing Systems (FM)},
+  title		= {World Congress on Formal Methods in the Development of
+		  Computing Systems (FM)},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={brucker, 2007-04-23},
+  series	= s-lncs,
+  volume	= 1708,
+  year		= 1999,
+  isbn		= {3-540-66587-0}
+}
+
+@Book{		  spivey:z-notation:1992,
+  bibkey	= {spivey:z-notation:1992},
+  author	= {J. M. Spivey},
+  title		= {The {Z} Notation: A Reference Manual},
+  publisher	= pub-prentice,
+  address	= pub-prentice:adr,
+  edition	= {2nd},
+  length	= 150,
+  year		= 1992,
+  isbn		= {0-139-78529-9},
+  acknowledgement={brucker, 2007-04-23},
+  abstract	= {This is a revised edition of the first widely available
+		  reference manual on Z originally published in 1989. The
+		  book provides a complete and definitive guide to the use of
+		  Z in specifying information systems, writing specifications
+		  and designing implementations. \par Contents: Tutorial
+		  introduction; Background; The Z language; The mathematical
+		  tool-kit; Sequential systems; Syntax summary; Changes from
+		  the first edition; Glossary.}
+}
+
+@Book{		  jones:vdm:1990,
+  bibkey	= {jones:vdm:1990},
+  author	= {Cliff B.\ Jones},
+  title		= {Systematic Software Development Using \acs{vdm}},
+  publisher	= pub-prentice,
+  address	= pub-prentice:adr,
+  year		= 1990,
+  size		= 333,
+  edition	= {2nd},
+  note		= {0-13-880733-7},
+  abstract	= {This book deals with the Vienna Development Method. The
+		  approach explains formal (functional) specifications and
+		  verified design with an emphasis on the study of proofs in
+		  the development process.},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Article{	  liskov.ea:behavioral:1994,
+  bibkey	= {liskov.ea:behavioral:1994},
+  abstract	= {The use of hierarchy is an important component of
+		  object-oriented design.Hierarchy allows the use of type
+		  families, in whichhigher level supertypes capture the
+		  behavior that all of their subtypes havein common. For this
+		  methodology to be effective,it is necessary to have a clear
+		  understanding of how subtypes and supertypesare related.
+		  This paper takes the position thatthe relationship should
+		  ensure that any property proved about supertypeobjects also
+		  holds for its subtype objects. It presentstwo ways of
+		  defining the subtype relation, each of which meets this
+		  criterion,and each of which is easy for programmers touse.
+		  The subtype relation is based on the specifications of the
+		  sub- and supertypes; the paper presents a way of
+		  specifyingtypes that makes it convenient to define the
+		  subtype relation. The paper alsodiscusses the ramifications
+		  of this notion ofsubtyping on the design of type
+		  families.},
+  author	= {Barbara H. Liskov and Jeannette M. Wing},
+  journal	= j-toplas,
+  month		= nov,
+  pages		= {1811--1841},
+  issn		= {0164-0925},
+  keywords	= {languages, verficiation},
+  language	= {USenglish},
+  number	= 6,
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  doi		= {10.1145/197320.197383},
+  public	= {yes},
+  title		= {A behavioral notion of subtyping},
+  volume	= 16,
+  year		= 1994,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  winskel:semantics:1993,
+  bibkey	= {winskel:semantics:1993},
+  author	= {Glynn Winskel},
+  title		= {The Formal Semantics of Programming Languages},
+  publisher	= pub-mit,
+  address	= pub-mit:adr,
+  isbn		= {0-262-23169-7},
+  pages		= 384,
+  year		= 1993,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  andrews:introduction:2002,
+  author	= {Peter B. Andrews},
+  title		= {Introduction to Mathematical Logic and Type Theory: To
+		  Truth through Proof},
+  year		= 2002,
+  isbn		= {1-402-00763-9},
+  edition	= {2nd},
+  publisher	= pub-kluwer,
+  address	= pub-kluwer:adr,
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {andrews:introduction:2002}
+}
+
+@PhDThesis{	  santen:mechanized:1999,
+  author	= {Thomas Santen},
+  title		= {A Mechanized Logical Model of {Z} and Object-Oriented
+		  Specification},
+  school	= {Technical University Berlin},
+  year		= 1999,
+  month		= jun,
+  annote	= {Also available as book: Shaker Verlag, Aachen. ISBN:
+		  3826576500},
+  bibkey	= {santen:mechanized:1999},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  kleene:mathematics:1971,
+  bibkey	= {kleene:mathematics:1971},
+  author	= {Stephen C. Kleene},
+  title		= {Introduction to Meta Mathematics},
+  publisher	= {Wolters-Noord\-hoff Publishing},
+  address	= {Amsterdam},
+  isbn		= {0-7204-2103-9},
+  year		= 1971,
+  note		= {Originally published by Van Nostrand, 1952},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  gordon.ea:hol:1993,
+  bibkey	= {gordon.ea:hol:1993},
+  author	= {Mike J. C. Gordon and Tom F. Melham},
+  title		= {Introduction to \acs{hol}: a theorem proving environment
+		  for higher order logic},
+  publisher	= pub-cup,
+  address	= pub-cup:adr,
+  year		= 1993,
+  pages		= 472,
+  isbn		= {0-521-44189-7},
+  month		= jul,
+  abstract	= {Currently being applied to a wide variety of problems,
+		  Higher-Order Logic (\acs{hol}) is a proof development
+		  system intended for applications to both hardware and
+		  software. This self-contained description contains a
+		  tutorial introduction and most of the material needed for
+		  day-to-day work.},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@PhDThesis{	  richters:precise:2002,
+  author	= {Mark Richters},
+  title		= {A Precise Approach to Validating {\acs{uml}} Models and
+		  {\acs{ocl}} Constraints},
+  school	= {Universit{\"a}t Bremen},
+  year		= 2002,
+  address	= {Logos Verlag, Berlin, \acs{biss} Monographs, No. 14},
+  isbn		= {3-89722-842-4},
+  abstract	= {We present a precise approach that allows an analysis and
+		  validation of \acs{uml} models and OCL constraints. We
+		  focus on models and constraints specified in the analysis
+		  and early design stage of a software development process.
+		  For this purpose, a suitable subset of \acs{uml}
+		  corresponding to information that is usually represented in
+		  class diagrams is identified and formally defined. This
+		  basic modeling language provides a context for all OCL
+		  constraints. We define a formal syntax and semantics of OCL
+		  types, operations, expressions, invariants, and
+		  pre-/postconditions. We also give solutions for problems
+		  with the current OCL definition and discuss possible
+		  extensions. A metamodel for OCL is introduced that defines
+		  the abstract syntax of OCL expressions and the structure of
+		  types and values. The metamodel approach allows a seamless
+		  integration with the \acs{uml} metamodeling architecture
+		  and makes the benefits of a precise OCL definition easier
+		  accessible. The OCL metamodel also allows to define
+		  context-sensitive conditions for well-formed OCL
+		  expressions more precisely. These conditions can now be
+		  specified with OCL whereas they previously were specified
+		  only informally. In order to demonstrate the practical
+		  applicability of our work, we have realized substantial
+		  parts of it in a tool supporting the validation of models
+		  and constraints. Design specifications can be ``executed''
+		  and animated thus providing early feedback in an iterative
+		  development process. Our approach offers novel ways for
+		  checking user data against specifications, for automating
+		  test procedures, and for checking CASE tools for standards
+		  conformance. Therefore, this work contributes to the goal
+		  of improving the overall quality of software systems by
+		  combining theoretical and practical techniques.},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+
+@Booklet{	  omg:ocl:1997,
+  bibkey	= {omg:ocl:1997},
+  key		= omg,
+  abstract	= {This document introduces and defines the Object Constraint
+		  Language (\acs{ocl}), a formal language to express side
+		  effect-free constraints. Users of the Unified Modeling
+		  Language and other languages can use \acs{ocl} to specify
+		  constraints and other expressions attached to their models.
+		  \acs{ocl} was used in the \acs{uml} Semantics document to
+		  specify the well-formedness rules of the \acs{uml}
+		  metamodel. Each well-formedness rule in the static
+		  semantics sections in the \acs{uml} Semantics document
+		  contains an \acs{ocl} expression, which is an invariant for
+		  the involved class. The grammar for \acs{ocl} is specified
+		  at the end of this document. A parser generated from this
+		  grammar has correctly parsed all the constraints in the
+		  \acs{uml} Semantics document, a process which improved the
+		  correctness of the specifications for \acs{ocl} and \acs{uml}.},
+  institution	= omg,
+  language	= {USenglish},
+  month		= sep,
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?ad/97-08-08}
+		  {ad/97-08-08}},
+  keywords	= {\acs{uml}, OCL},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {Object Constraint Language Specification (Version 1.1)},
+  year		= 1997,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Booklet{	  omg:xmi:2000,
+  bibkey	= {omg:xmi:2000},
+  key		= omg,
+  abstract	= {The main purpose of XMI is to enable easy interchange of
+		  metadata between modeling tools (based on the
+		  \acs{omg}-\acs{uml}) and metadata repositories
+		  (\acs{omg}-MOF based) in distributed heterogeneous
+		  environments. XMI integrates three key industry standards:
+		  XML, \acs{uml}, MOF.},
+  publisher	= omg,
+  language	= {USenglish},
+  month		= nov,
+  year		= 2000,
+  keywords	= {\acs{uml}, XML, XMI},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {\acs{omg} \acs{xml} Metadata Interchange (\acs{xmi})
+		  Specification (Version 1.1)},
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?formal/00-11-02}
+		  {formal/00-11-02}},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Booklet{	  omg:ocl:2003,
+  bibkey	= {omg:ocl:2003},
+  key		= omg,
+  abstract	= {This document introduces and defines the Object Constraint
+		  Language (OCL), a formal language to express side
+		  effect-free constraints. Users of the Unified Modeling
+		  Language and other languages can use OCL to specify
+		  constraints and other expressions attached to their models.
+		  OCL was used in the \acs{uml} Semantics document to specify
+		  the well-formedness rules of the \acs{uml} metamodel. Each
+		  well-formedness rule in the static semantics sections in
+		  the \acs{uml} Semantics document contains an OCL
+		  expression, which is an invariant for the involved class.
+		  The grammar for OCL is specified at the end of this
+		  document. A parser generated from this grammar has
+		  correctly parsed all the constraints in the \acs{uml}
+		  Semantics document, a process which improved the
+		  correctness of the specifications for OCL and \acs{uml}.},
+  publisher	= omg,
+  language	= {USenglish},
+  month		= oct,
+  keywords	= {\acs{uml}, OCL},
+  topic		= {formalism},
+  public	= {yes},
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?ptc/03-10-14}
+		  {ptc/03-10-14}},
+  title		= {\acs{uml} 2.0 \acs{ocl} Specification},
+  year		= 2003,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Booklet{	  omg:uml:2003,
+  bibkey	= {omg:uml:2003},
+  key		= omg,
+  abstract	= {The Unified Modeling Language (\acs{uml}) provides system
+		  architects working on object analysis and design with one
+		  consistent language for specifying, visualizing,
+		  constructing, and documenting the artifacts of software
+		  systems, as well as for business modeling.This
+		  specification represents the convergence of best practices
+		  in the object-technology industry. \acs{uml} is the proper
+		  successor to the object modeling languages of three
+		  previouslyleading object-oriented methods (Booch, OMT, and
+		  OOSE). The \acs{uml} is the union of thesemodeling
+		  languages and more, since it includes additional
+		  expressiveness to handle modelingproblems that these
+		  methods did not fully address.One of the primary goals of
+		  \acs{uml} is to advance the state of the industry by
+		  enabling objectvisual modeling tool interoperability.
+		  However, in order to enable meaningful exchange ofmodel
+		  information between tools, agreement on semantics and
+		  notation is required. \acs{uml} meets the following
+		  requirements: \begin{enumerate} \item Formal definition of
+		  a common object analysis and design (OA\&D) metamodel to
+		  representthe semantics of OA\&D models, which include
+		  static models, behavioral models, usagemodels, and
+		  architectural models. \item IDL specifications for
+		  mechanisms for model interchange between OA\&D tools.
+		  Thisdocument includes a set of IDL interfaces that support
+		  dynamic construction and traversal ofa user model. \item
+		  readable notation for representing OA\&D models.
+		  \end{enumerate} This document defines the \acs{uml}
+		  notation, an elegant graphic syntax for consistently
+		  expressing the \acs{uml}'s richsemantics. Notation is an
+		  essential part of OA\&D modeling and the \acs{uml}.},
+  publisher	= omg,
+  language	= {USenglish},
+  month		= mar,
+  year		= 2003,
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?formal/03-03-01}
+		  {formal/03-03-01}},
+  keywords	= {\acs{uml}, OCL},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {Unified Modeling Language Specification (Version 1.5)},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Booklet{	  omg:ocl:2006,
+  bibkey	= {omg:ocl:2006},
+  key		= omg,
+  abstract	= {This document introduces and defines the Object Constraint
+		  Language (OCL), a formal language to express side
+		  effect-free constraints. Users of the Unified Modeling
+		  Language and other languages can use OCL to specify
+		  constraints and other expressions attached to their models.
+		  OCL was used in the \acs{uml} Semantics document to specify
+		  the well-formedness rules of the \acs{uml} metamodel. Each
+		  well-formedness rule in the static semantics sections in
+		  the \acs{uml} Semantics document contains an OCL
+		  expression, which is an invariant for the involved class.
+		  The grammar for OCL is specified at the end of this
+		  document. A parser generated from this grammar has
+		  correctly parsed all the constraints in the \acs{uml}
+		  Semantics document, a process which improved the
+		  correctness of the specifications for OCL and \acs{uml}.},
+  publisher	= omg,
+  language	= {USenglish},
+  month		= apr,
+  keywords	= {\acs{uml}, OCL},
+  topic		= {formalism},
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?formal/06-05-01}
+		  {formal/06-05-01}},
+  public	= {yes},
+  title		= {\acs{uml} 2.0 \acs{ocl} Specification},
+  year		= 2006,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Booklet{	  omg:uml:2005,
+  bibkey	= {omg:uml:2005},
+  key		= omg,
+  publisher	= omg,
+  language	= {USenglish},
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?formal/05-07-04}
+		  {formal/05-07-04}},
+  keywords	= {\acs{uml}},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {\acs{uml} 2.0 Superstructure Specification},
+  year		= 2005,
+  month		= jul,
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@PhDThesis{	  oheimb:analyzing:2001,
+  author	= {David von Oheimb},
+  title		= {Analyzing {J}ava in {Isabelle/\acs{hol}}: Formalization,
+		  Type Safety and {H}oare Logic},
+  school	= {Technische Universit\"{a}t M\"{u}nchen},
+  year		= 2001,
+  crclassification={D.2.4, D.3.1, F.3.1},
+  crgenterms	= {Languages, Verification, Theory},
+  keywords	= {Java, formalization, operational semantics, type
+		  soundness, axiomatic semantics, Isabelle/HOL},
+  abstract	= {This thesis deals with machine-checking a large
+		  sublanguage of sequential Java, covering nearly all
+		  features, in particular the object-oriented ones. It shows
+		  that embedding such a language in a theorem prover and
+		  deducing practically important properties is meanwhile
+		  possible and explains in detail how this can be achieved.
+		  We formalize the abstract syntax, and the static semantics
+		  including the type system and well-formedness conditions,
+		  as well as an operational (evaluation) semantics of the
+		  language. Based on these definitions, we can express
+		  soundness of the type system, an important design goal
+		  claimed to be reached by the designers of Java, and prove
+		  that type safety holds indeed. Moreover, we give an
+		  axiomatic semantics of partial correctness for both
+		  statements and (side-effecting) expressions. We prove the
+		  soundness of this semantics relative to the operational
+		  semantics, and even prove completeness. We further give a
+		  small but instructive application example. A direct outcome
+		  of this work is the confirmation that the design and
+		  specification of Java (or at least the subset considered)
+		  is reasonable, yet some omissions in the language
+		  specification and possibilities for generalizing the design
+		  can be pointed out. The second main contribution is a sound
+		  and complete Hoare logic, where the soundness proof for our
+		  Hoare logic gives new insights into the role of type
+		  safety. To our knowledge, this logic is the first one for
+		  an object-oriented language that has been proved complete.
+		  By-products of this work are a new general technique for
+		  handling side-effecting expressions and their results, the
+		  discovery of the strongest possible rule of consequence,
+		  and a new rule for flexible handling of mutual recursion.
+		  All definitions and proofs have been done fully formally
+		  with the interactive theorem prover Isabelle/HOL,
+		  representing one of its major applications. This approach
+		  guarantees not only rigorous definitions, but also gives
+		  maximal confidence in the results obtained. Thus this
+		  thesis demonstrates that machine-checking the design of an
+		  important non-trivial programming language and conducting
+		  meta-theory on it entirely within a theorem proving system
+		  has become a reality. },
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {oheimb:analyzing:2001}
+}
+
+@Article{	  chiarada.ea:improving:2006,
+  bibkey	= {chiarada.ea:improving:2006},
+  language	= {USenglish},
+  public	= {yes},
+  title		= {Improving the {\acs{ocl}} Semantics Definition by Applying
+		  Dynamic Meta Modeling and Design Patterns},
+  author	= {Juan Mart{\'\i}n Chiarad{\'\i}a and Claudia Pons},
+  editor	= {Birgith Demuth and Dan Chiorean and Martin Gogolla and Jos
+		  Warmer},
+  issn		= {1863-2122},
+  volume	= 5,
+  year		= 2006,
+  acknowledgement={brucker, 2007-04-23},
+  journal	= j-eceasst
+}
+
+@PhDThesis{	  schirmer:verification:2006,
+  author	= {Norbert Schirmer},
+  title		= {Verification of Sequential Imperative Programs in
+		  {I}sabelle/{\acs{hol}}},
+  school	= {Technische Universit\"at M\"unchen},
+  year		= 2006,
+  acknowledgement={brucker, 2007-04-23},
+  abstract	= {The purpose of this thesis is to create a verification
+		  environment for sequential imperative programs. First a
+		  general language model is proposed, which is independent of
+		  a concrete programming language but expressive enough to
+		  cover all common language features: mutually recursive
+		  procedures, abrupt termination and exceptions, runtime
+		  faults, local and global variables, pointers and heap,
+		  expressions with side effects, pointers to procedures,
+		  partial application and closures, dynamic method invocation
+		  and also unbounded nondeterminism.
+		  
+		  For this language a Hoare logic for both partial and total
+		  correctness is developed and on top of it a verification
+		  condition generator is implemented. The Hoare logic is
+		  designed to allow the integration of program analysis or
+		  software model checking into the verification.
+		  
+		  To demonstrate the continuity to a real programming
+		  language a subset of C is embedded into the verification
+		  environment.
+		  
+		  The whole work is developed in the theorem prover Isabelle.
+		  Therefore the correctness is machine-checked and in
+		  addition the rich infrastructure of the general purpose
+		  theorem prover Isabelle can be employed for the
+		  verification of imperative programs.
+		  
+		  }
+}
+
+@Article{	  harel.ea:meaningful:2004,
+  author	= {David Harel and Bernhard Rumpe},
+  title		= {Meaningful Modeling: What's the Semantics of
+		  ``Semantics''?},
+  journal	= {\acs{ieee} Computer},
+  year		= 2004,
+  pages		= {64--72},
+  volume	= 37,
+  issn		= {0018-9162},
+  number	= 10,
+  month		= oct,
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  doi		= {10.1109/MC.2004.172},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  hahnle:automated:1994,
+  author	= {Reiner H{\"a}hnle},
+  title		= {Automated Deduction in Multiple-valued Logics},
+  publisher	= pub-oxford,
+  address	= pub-oxford:adr,
+  disvolume	= 10,
+  disseries	= {International Series of Monographs on Computer Science},
+  year		= 1994,
+  acknowledgement={brucker, 2007-04-23},
+  isbn		= {0-19-853989-4},
+  bibkey	= {hahnle:automated:1994}
+}
+
+@Book{		  vigano:labelled:2000,
+  author	= {Luca Vigan{\`o}},
+  title		= {Labelled Non-Classical Logics},
+  year		= 2000,
+  language	= {USenglish},
+  publisher	= pub-kluwer,
+  address	= pub-kluwer:adr,
+  isbn		= {0-7923-7749-4},
+  cover		= {2000/lncl.png},
+  abstract	= {The subject of the book is the development and
+		  investigation of a framework for the modular and uniform
+		  presentation and implementation of non-classical logics, in
+		  particular modal and relevance logics. Logics are presented
+		  as labelled deduction systems, which are proved to be sound
+		  and complete with respect to the corresponding Kripke-style
+		  semantics. We investigate the proof theory of our systems,
+		  and show them to possess structural properties such as
+		  normalization and the subformula property, which we exploit
+		  not only to establish advantages and limitations of our
+		  approach with respect to related ones, but also to give, by
+		  means of a substructural analysis, a new proof-theoretic
+		  method for investigating decidability and complexity of
+		  (some of) the logics we consider. All of our deduction
+		  systems have been implemented in the generic theorem prover
+		  Isabelle, thus providing a simple and natural environment
+		  for interactive proof development.},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {vigano:labelled:2000}
+}
+
+@Book{		  gabbay:labelled:1997,
+  author	= {Dov M. Gabbay},
+  title		= {Labelled Deductive Systems},
+  publisher	= pub-oxford,
+  address	= pub-oxford:adr,
+  series	= {Oxford Logic Guides},
+  year		= 1997,
+  isbn		= {978-0-198-53833-2},
+  volume	= 1,
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {gabbay:labelled:1997}
+}
+
+@Book{		  warmer.ea:ocl2:2003,
+  bibkey	= {warmer.ea:ocl2:2003},
+  author	= {Jos Warmer and Anneke Kleppe},
+  abstract	= {This book covers \acs{ocl} 2.0},
+  keywords	= {OCL, \acs{uml}},
+  isbn		= {0-321-17936-6},
+  edition	= {2nd},
+  language	= {USenglish},
+  public	= {yes},
+  topic		= {formalism},
+  publisher	= pub-awl,
+  address	= pub-awl:adr,
+  title		= {The Object Constraint Language: Getting Your Models Ready
+		  for \acs{mda}},
+  year		= 2003,
+  month		= aug,
+  num_pages	= 240,
+  price		= {39.99},
+  cover		= {2003/ocl2.png},
+  currency	= {USD},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  smith:object:2000,
+  author	= {Graeme Smith},
+  title		= {The Object {Z} Specification Language},
+  publisher	= pub-kluwer,
+  address	= pub-kluwer:adr,
+  year		= 2000,
+  isbn		= {0-7923-8684-1},
+  pages		= 160,
+  abstract	= {bject-Z is an object-oriented extension of the formal
+		  specification language Z. It adds, to Z, notions of classes
+		  and objects, and inheritance and polymorphism. By extending
+		  Z's semantic basis, it enables the specification of systems
+		  as collections of independent objects in which self and
+		  mutual referencing are possible.
+		  
+		  The Object-Z Specification Language presents a
+		  comprehensive description of Object-Z including discussions
+		  of semantic issues, definitions of all language constructs,
+		  type rules and other rules of usage, specification
+		  guidelines, and a full concrete syntax. It will enable you
+		  to confidently construct Object-Z specifications and is
+		  intended as a reference manual to keep by your side as you
+		  use and learn to use Object-Z.
+		  
+		  The Object-Z Specification Language is suitable as a
+		  textbook or as a secondary text for a graduate level
+		  course, and as a reference for researchers and
+		  practitioners in industry.},
+  series	= {Advances in Formal Methods Series},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Book{		  meyer:object-oriented:1988,
+  author	= {Bertrand Meyer},
+  title		= {Object-Oriented Software Construction},
+  acknowledgement={brucker, 2007-04-23},
+  publisher	= pub-prentice,
+  address	= pub-prentice:adr,
+  year		= 1988,
+  isbn		= {0-13-629031-0},
+  descriptor	= {Eiffel, Objekt-orientiert, Software}
+}
+
+@Article{	  meyer.ea:interactive:1999,
+  title		= {Interactive Verification Environments for Object-Oriented
+		  Languages },
+  author	= {J{\"o}rg Meyer and Arnd Poetzsch-Heffter },
+  journal	= j-ucs,
+  volume	= 5,
+  url		= {http://www.jucs.org/jucs_5_3/interactive_verification_environments_for}
+		  ,
+  number	= 3,
+  pages		= {208--225 },
+  year		= 1999,
+  doi		= {10.1007/3-540-46419-0_6},
+  acknowledgement={brucker, 2007-04-23},
+  abstract	= {Formal specification and verification techniques can
+		  improve the quality of object-oriented software by enabling
+		  semantic checks and certification of properties. To be
+		  applicable to object-oriented programs, they have to cope
+		  with subtyping, aliasing via object references, as well as
+		  abstract and recursive methods. For mastering the resulting
+		  complexity, mechanical aid is needed. The article outlines
+		  the specific technical requirements for the specification
+		  and verification of object-oriented programs. Based on
+		  these requirements, it argues that verification of
+		  OO-programs should be done interactively and develops an
+		  modular architecture for this task. In particular, it shows
+		  how to integrate interactive program verification with
+		  existing universal interactive theorem provers, and
+		  explains the new developed parts of the architecture. To
+		  underline the general approach, we describe interesting
+		  features of our prototype implementation.}
+}
+
+@Article{	  church:types:1940,
+  author	= {Church, Alonzo},
+  title		= {A formulation of the simple theory of types},
+  journal	= j-sl,
+  year		= 1940,
+  volume	= 5,
+  number	= 2,
+  month		= jun,
+  pages		= {56--68},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {church:types:1940}
+}
+
+@Article{muller.ea:holcf:1999,
+  author	= {Olaf M\"uller and Tobias Nipkow and David von Oheimb and
+		  Oskar Slotosch},
+  title		= {{HOLCF = HOL + LCF}},
+  
+  journal	= {j-fp},
+  number	= {2},
+  doi		= {10.1017/S095679689900341X},
+  volume	= {9},
+  pages		= {191--223},
+  year		= {1999},
+  abstract	= {HOLCF is the definitional extension of Church's
+		  Higher-Order Logic with Scott's Logic for Computable
+		  Functions that has been implemented in the theorem prover
+		  Isabelle. This results in a flexible setup for reasoning
+		  about functional programs. HOLCF supports standard domain
+		  theory (in particular fixedpoint reasoning and recursive
+		  domain equations) but also coinductive arguments about lazy
+		  datatypes. This paper describes in detail how domain theory
+		  is embedded in HOL and presents applications from
+		  functional programming, concurrency and denotational
+		  semantics. },
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {muller.ea:holcf:1999}
+}
+
+@Article{	  huet:programtransformations:1978,
+  author	= {G{\'e}rard Huet and Bernard Lang},
+  title		= {Proving and Applying Program Transformations Expressed
+		  with Second Order Patterns},
+  journal	= {Acta Informatica},
+  volume	= 11,
+  year		= 1978,
+  pages		= {31--55},
+  number	= 1,
+  doi		= {10.1007/BF00264598},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {huet:programtransformations:1978}
+}
+
+@PhDThesis{	  kyas:verifying:2006,
+  author	= {Marcel Kyas},
+  title		= {Verifying {\acs{ocl}} Specifications of {\acs{uml}}
+		  Models: Tool Support and Compositionality},
+  school	= {University of Leiden},
+  year		= 2006,
+  acknowledgement={brucker, 2007-04-23},
+  abstract	= {The Unified Modelling Language (\acs{uml}) and the Object
+		  Constraint Language (OCL) serve as specification languages
+		  for embedded and real-time systems used in a
+		  safety-critical environment. In this dissertation class
+		  diagrams, object diagrams, and OCL constraints are
+		  formalised. The formalisation serves as foundation for a
+		  translation of class diagrams, state machines, and
+		  constraints into the theorem prover PVS. This enables the
+		  formal verification of models defined in a subset of
+		  \acs{uml} using the interactive theorem prover. The type
+		  system of OCL makes writing specifications difficult while
+		  the model is still under development. To overcome this
+		  difficulty a new type system is proposed, based on
+		  intersection types, union types, and bounded operator
+		  abstraction. To reduce the complexity of the model and to
+		  increase the structure of the specification, compositional
+		  reasoning is used. The introduction of history variables
+		  allows compositional specifications. Proof rules support
+		  compositional reasoning. The feasibility of the presented
+		  approach is demonstrated by two case-studies. The first one
+		  is the "Sieve of Eratosthenes" and the second one is a part
+		  of the medium altitude reconnaissance system (MARS)
+		  deployed in F-16 fighters of the Royal Dutch Air Force.},
+  isbn		= {3-86541-142-8},
+  publisher	= {Lehmanns Media},
+  address	= {Berlin},
+  file		= {papers/2006/kyas-verifying-2006.tgz}
+}
+
+@Article{	  bertino.ea:object-oriented:1992,
+  author	= {Elisa Bertino and Mauro Negri and Giuseppe Pelagatti and
+		  Licia Sbattella},
+  title		= {Object-Oriented Query Languages: The Notion and the
+		  Issues},
+  journal	= j-tkde,
+  volume	= 4,
+  number	= 3,
+  doi		= {10.1109/69.142014},
+  library	= {DINF-K},
+  year		= 1992,
+  pages		= {223--237},
+  abstract	= {The authors describe how the characteristics of an
+		  object-oriented data model, such as object identity,
+		  complex object structure, methods, and class hierarchies,
+		  have an impact on the design of a query language. They also
+		  point out major differences with respect to relational
+		  query languages. The discussion is supported through the
+		  definition of OOPC, a formal object-oriented query language
+		  based on predicate calculus, which incorporates in a
+		  consistent formal notation most features of existing
+		  object-oriented query languages.},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {bertino.ea:object-oriented:1992}
+}
+
+@Article{	  beckert.ea:leant-ap:1995,
+  author	= {Bernhard Beckert and Joachim Posegga},
+  title		= {{\leanTAP}: Lean Tableau-based Deduction},
+  journal	= j-ar,
+  volume	= 15,
+  number	= 3,
+  pages		= {339--358},
+  year		= 1995,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  doi		= {10.1007/BF00881804},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {beckert.ea:leant-ap:1995}
+}
+
+@Article{	  jackson:alloy:2002,
+  author	= {Daniel Jackson},
+  title		= {{Alloy}: a lightweight object modelling notation},
+  journal	= j-tosem,
+  volume	= 11,
+  number	= 2,
+  year		= 2002,
+  issn		= {1049-331X},
+  pages		= {256--290},
+  doi		= {10.1145/505145.505149},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={brucker, 2007-04-23},
+  abstract	= {Alloy is a little language for describing structural
+		  properties. It offers a declaration syntax compatible with
+		  graphical object models, and a set-based formula syntax
+		  powerful enough to express complex constraints and yet
+		  amenable to a fully automatic semantic analysis. Its
+		  meaning is given by translation to an even smaller
+		  (formally defined) kernel. This paper presents the language
+		  in its entirety, and explains its motivation, contributions
+		  and deficiencies. }
+}
+
+@Article{	  kobryn:uml:1999,
+  author	= {Cris Kobryn},
+  title		= {{\acs{uml}} 2001: a standardization odyssey},
+  journal	= j-cacm,
+  volume	= 42,
+  number	= 10,
+  year		= 1999,
+  issn		= {0001-0782},
+  pages		= {29--37},
+  doi		= {10.1145/317665.317673},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  language	= {USEnglish},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@Article{	  basin.ea:natural:1998,
+  author	= {David A. Basin and Se{\'a}n Matthews and Luca Vigan{\`o}},
+  title		= {Natural Deduction for Non-Classical Logics},
+  journal	= {Studia Logica},
+  doi		= {10.1023/A:1005003904639},
+  year		= 1998,
+  volume	= 60,
+  number	= 1,
+  publisher	= pub-springer,
+  address	= pub-acm:adr,
+  issn		= {0039-3215},
+  acknowledgement={brucker, 2007-04-23},
+  pages		= {119--160},
+  language	= {USenglish},
+  note		= {Special issue on \emph{Natural Deduction} edited by Frank
+		  Pfenning and Wilfried Sieg},
+  abstract	= {We present a framework for machine implementation of
+		  families of non-classical logics with Kripke-style
+		  semantics. We decompose a logic into two interacting parts,
+		  each a natural deduction system: a base logic of labelled
+		  formulae, and a theory of labels characterizing the
+		  properties of the Kripke models. By appropriate
+		  combinations we capture both partial and complete fragments
+		  of large families of non-classical logics such as modal,
+		  relevance, and intuitionistic logics. Our approach is
+		  modular and supports uniform proofs of correctness and
+		  proof normalization. We have implemented our work in the
+		  Isabelle Logical Framework. }
+}
+
+@InProceedings{	  nipkow.ea:java-light:1998,
+  author	= {Tobias Nipkow and David von Oheimb},
+  title		= {{Java$_{{\ell}ight}$} is Type-Safe---Definitely},
+  booktitle	= {\acs{acm} Symp.\ Principles of Programming Languages
+		  (\acs{popl})},
+  publisher	= pub-acm,
+  isbn		= {0-89791-979-3},
+  address	= pub-acm:adr,
+  year		= 1998,
+  pages		= {161--170},
+  doi		= {10.1145/268946.268960},
+  location	= {San Diego, California, United States},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {nipkow.ea:java-light:1998}
+}
+
+@Article{	  bierman.ea:mj:2003,
+  author	= {Gavin M. Bierman and Matthew J. Parkinson},
+  title		= {Effects and effect inference for a core {Java} calculus},
+  journal	= j-entcs,
+  volume	= 82,
+  number	= 7,
+  year		= 2003,
+  doi		= {10.1016/S1571-0661(04)80803-X},
+  pages		= {1--26},
+  booktitle	= {WOOD2003, Workshop on Object Oriented Developments
+		  (Satellite Event of ETAPS 2003)},
+  acknowledgement={brucker, 2007-04-23},
+  bibkey	= {bierman.ea:mj:2003},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr
+}
+
+@Article{	  chiorean.ea:ensuring:2004,
+  author	= {Dan Chiorean and Mihai Pasca and Adrian C{\^a}rcu and
+		  Cristian Botiza and Sorin Moldovan},
+  title		= {Ensuring \acs{uml} Models Consistency Using the \acs{ocl}
+		  Environment.},
+  journal	= j-entcs,
+  volume	= 102,
+  booktitle	= PROC # { the Workshop, \acs{ocl} 2.0 -- Industry
+		  Standard or Scientific Playground?},
+  year		= 2004,
+  acknowledgement={brucker, 2007-04-24},
+  pages		= {99--110},
+  doi		= {10.1016/j.entcs.2003.09.005},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr
+}
+
+@Article{	  rauch.ea:formalizing:2003,
+  abstract	= {We present a formal model of the Java two's-complement
+		  integral arithmetics. The model directly formalizes the
+		  arithmetic operations as given in the Java Language
+		  Specification (JLS). The algebraic properties of these
+		  definitions are derived. Underspecifications and
+		  ambiguities in the JLS are pointed out and clarified. The
+		  theory is formally analyzed in Isabelle/HOL, that is,
+		  machine-checked proofs for the ring properties and
+		  divisor/remainder theorems etc. are provided. This work is
+		  suited to build the framework for machine-supported
+		  reasoning over arithmetic formulae in the context of Java
+		  source-code verification.},
+  author	= {Nicole Rauch and Burkhart Wolff},
+  journal	= j-entcs,
+  doi		= {10.1016/S1571-0661(04)80808-9},
+  acknowledgement={brucker, 2007-04-24},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr,
+  title		= {Formalizing {Java}'s Two's-Com\-ple\-ment Integral Type in
+		  {Isabelle}/\acs{hol}},
+  volume	= 80,
+  year		= 2003,
+  pages		= {1--18},
+  booktitle	= {International Workshop on Formal Methods for Industrial
+		  Critical Systems (\ac{fmics})}
+}
+
+@Article{	  kyas.ea:formalizing:2004,
+  journal	= j-entcs,
+  author	= {Kyas, Marcel and Fecher, Harald and de Boer, Frank S. and
+		  van der Zwaag, Mark and Hooman, Jozef and Arons, Tamarah
+		  and Kugler, Hillel},
+  title		= {Formalizing {\acs{uml}} Models and {\acs{ocl}} Constraints
+		  in {\acs{pvs}}},
+  booktitle	= {Workshop on Semantic Foundations of Engineering Design
+		  Languages (\acs{sfedl})},
+  year		= 2004,
+  doi		= {10.1016/j.entcs.2004.09.027 },
+  pages		= {39--47},
+  acknowledgement={brucker, 2007-04-24},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr
+}
+
+@Proceedings{	  grabowski.ea:formal:2005,
+  editor	= {Jens Grabowski and Brian Nielsen},
+  title		= {Formal Approaches to Software Testing (\textsc{fates})},
+  booktitle	= {Formal Approaches to Software Testing (\textsc{fates})},
+  series	= s-lncs,
+  volume	= 3395,
+  year		= 2005,
+  isbn		= {3-540-25109-X},
+  doi		= {10.1007/b106767},
+  acknowledgement={brucker, 2007-04-24},
+  publisher	= pub-springer,
+  address	= pub-springer:adr
+}
+
+@InCollection{	  kerber.ea:tableau:1996,
+  author	= {Manfred Kerber and Michael Kohlhase},
+  title		= {A Tableau Calculus for Partial Functions},
+  pages		= {21--49},
+  abstract	= {Even though it is not very often admitted, partial
+		  functions do play a significant role in many practical
+		  applications of deduction systems. Kleene has already given
+		  a semantic account of partial functions using a
+		  three-valued logic decades ago, but there has not been a
+		  satisfactory mechanization. Recent years have seen a
+		  thorough investigation of the framework of many-valued
+		  truth-functional logics. However, strong Kleene logic,
+		  where quantification is restricted and therefore not
+		  truth-functional, does not fit the framework directly. We
+		  solve this problem by applying recent methods from sorted
+		  logics. This paper presents a tableau calculus that
+		  combines the proper treatment of partial functions with the
+		  efficiency of sorted calculi.},
+  acknowledgement={brucker, 2007-04-24},
+  bibkey	= {kerber.ea:tableau:1996},
+  booktitle	= {Collegium Logicum---Annals of the Kurt-G{\"o}del-Society},
+  volume	= 2,
+  publisher	= pub-springer-ny,
+  address	= pub-springer-ny:adr,
+  isbn		= {3-211-82796-X},
+  year		= 1996
+}
+
+@InCollection{	  paulson:generic:1996,
+  author	= {Lawrence C. Paulson},
+  title		= {Generic automatic proof tools},
+  pages		= {23--47},
+  abstract	= {This paper explores a synthesis between two distinct
+		  traditions in automated reasoning: resolution and
+		  interaction. In particular it discusses Isabelle, an
+		  interactive theorem prover based upon a form of resolution.
+		  It aims to demonstrate the value of proof tools that,
+		  compared with traditional resolution systems, seem absurdly
+		  limited. Isabelle's classical reasoner searches for proofs
+		  using a tableau approach. The reasoner is generic: it
+		  accepts rules proved in applied theories, involving defined
+		  connectives. New constants are not reduced to first-order
+		  logic; the reasoner},
+  acknowledgement={brucker, 2007-04-24},
+  bibkey	= {paulson:generic:1996},
+  booktitle	= {Automated reasoning and its applications: essays in honor
+		  of {Larry Wos}},
+  year		= 1997,
+  editor	= {Robert Veroff},
+  publisher	= pub-mit,
+  address	= pub-mit:adr,
+  isbn		= {978-0-262-22055-2}
+}
+
+@InCollection{	  nipkow:order-sorted:1993,
+  author	= {Tobias Nipkow},
+  title		= {Order-Sorted Polymorphism in {Isabelle}},
+  booktitle	= {Workshop on Logical Environments},
+  editor	= {G\'erard Huet and Gordon Plotkin},
+  publisher	= pub-cup,
+  address	= pub-cup:adr,
+  year		= 1993,
+  location	= {Edinburgh, Scotland},
+  pages		= {164--188},
+  acknowledgement={brucker, 2007-04-24},
+  isbn		= {0-521-43312-6},
+  bibkey	= {nipkow:order-sorted:1993}
+}
+
+@InCollection{	  hahnle:tableaux:1999,
+  author	= {Reiner H\"ahnle},
+  booktitle	= {Handbook of Tableau Methods},
+  editor	= {Marcello D'Agostino and Dov Gabbay and Reiner H\"ahnle and
+		  Joachim Posegga},
+  isbn		= {978-0-792-35627-1},
+  publisher	= pub-kluwer,
+  address	= pub-kluwer:adr,
+  title		= {Tableaux for Many-Valued Logics},
+  pages		= {529--580},
+  year		= 1999,
+  public	= {no},
+  mynote	= {Postscript-File nicht weitergeben!},
+  abstract	= {This article reports on research done in the intersection
+		  between many-valued logics and logical calculi related to
+		  tableaux. A lot of important issues in many-valued logic,
+		  such as algebras arising from many-valued logic,
+		  many-valued function minimization, philosophical topics, or
+		  applications are not discussed here; for these, we refer
+		  the reader to general monographs and overviews such as
+		  [Rosser and Turquette, 1952; Rescher, 1969; Urquhart, 1986;
+		  Bolc and Borowik, 1992; Malinowski, 1993; Hahnle, 1994;
+		  Panti, to appear] . More questionable, perhaps, than the
+		  omissions is the need for a handbook chapter on tableaux
+		  for many-valued logics in the first place.},
+  bibkey	= {hahnle:tableaux:1999},
+  acknowledgement={brucker, 2007-04-24}
+}
+
+@InCollection{	  leavens.ea:jml:1999,
+  author	= {Gary T. Leavens and Albert L. Baker and Clyde Ruby},
+  title		= {{JML}: A Notation for Detailed Design},
+  booktitle	= {Behavioral Specifications of Businesses and Systems},
+  publisher	= pub-kluwer,
+  address	= pub-kluwer:adr,
+  editor	= {Haim Kilov and Bernhard Rumpe and Ian Simmonds},
+  pages		= {175--188},
+  year		= 1999,
+  isbn		= {978-0-7923-8629-2},
+  acknowledgement={brucker, 2007-04-24}
+}
+
+@InCollection{	  paulson:fixedpoint:2000,
+  author	= {Lawrence C. Paulson},
+  pages		= {187--211},
+  title		= {A fixedpoint approach to (co)inductive and (co)datatype
+		  definitions},
+  acknowledgement={brucker, 2007-04-24},
+  abstract	= {This paper presents a fixedpoint approach to inductive
+		  definitions. In- stead of using a syntactic test such as
+		  ``strictly positive,'' the approach lets definitions
+		  involve any operators that have been proved monotone. It is
+		  conceptually simple, which has allowed the easy
+		  implementation of mutual recursion and iterated
+		  definitions. It also handles coinductive definitions:
+		  simply replace the least fixedpoint by a greatest
+		  fixedpoint. The method has been implemented in two of
+		  Isabelle's logics, zf set theory and higher-order logic. It
+		  should be applicable to any logic in which the
+		  Knaster-Tarski theorem can be proved. Examples include
+		  lists of n elements, the accessible part of a relation and
+		  the set of primitive recursive functions. One example of a
+		  coinductive definition is bisimulations for lazy lists.
+		  Recursive datatypes are examined in detail, as well as one
+		  example of a codatatype: lazy lists. The Isabelle package
+		  has been applied in several large case studies, including
+		  two proofs of the Church-Rosser theorem and a coinductive
+		  proof of semantic consistency. The package can be trusted
+		  because it proves theorems from definitions, instead of
+		  asserting desired properties as axioms. },
+  bibkey	= {paulson:fixedpoint:2000},
+  crossref	= {plotkin.ea:proof:2000}
+}
+
+@InCollection{	  gordon:from:2000,
+  author	= {Mike Gordon},
+  title		= {From \acs{lcf} to {\acs{hol}}: a short history},
+  pages		= {169--185},
+  acknowledgement={brucker, 2007-04-24},
+  abstract	= {The original LCF system was a proof-checking program
+		  developed at Stanford University by Robin Milner in 1972.
+		  Descendents of LCF now form a thriving paradigm in computer
+		  assisted reasoning. Many of the developments of the last 25
+		  years have been due to Robin Milner, whose influence on the
+		  field of automated reasoning has been diverse and profound.
+		  One of the descendents of LCF is HOL, a proof assistant for
+		  higher order logic originally developed for reasoning about
+		  hardware. The multi-faceted contribution of Robin Milner to
+		  the development of HOL is remarkable. Not only did he
+		  invent the LCF-approach to theorem proving, but he also
+		  designed the ML programming language underlying it and the
+		  innovative polymorphic type system used both by ML and the
+		  LCF and HOL logics. Code Milner wrote is still in use
+		  today, and the design of the hardware verification system
+		  LCF_LSM (a now obsolete stepping stone from LCF to HOL) was
+		  inspired by Milner's Calculus of Communicating Systems
+		  (CCS). },
+  crossref	= {plotkin.ea:proof:2000}
+}
+
+@Book{		  plotkin.ea:proof:2000,
+  booktitle	= {Proof, Language, and Interaction: Essays in Honour of
+		  {Robin Milner}},
+  title		= {Proof, Language, and Interaction: Essays in Honour of
+		  {Robin Milner}},
+  publisher	= pub-mit,
+  address	= pub-mit:adr,
+  year		= 2000,
+  isbn		= {978-0-262-16188-6},
+  acknowledgement={brucker, 2007-04-24},
+  editor	= {Gordon Plotkin and Colin Stirling and Mads Tofte}
+}
+
+@InCollection{	  pfenning:logical:2001,
+  author	= {Frank Pfenning},
+  title		= {Logical Frameworks},
+  booktitle	= {Handbook of Automated Reasoning},
+  editor	= {Alan Robinson and Andrei Voronkov},
+  chapter	= 17,
+  volume	= 2,
+  isbn		= {0-444-50812-0},
+  pages		= {1063--1147},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr,
+  year		= 2001,
+  acknowledgement={brucker, 2007-04-24},
+  abstract	= {The specification of a deductive system usually proceeds
+		  in two stages: first we define the syntax of an object
+		  language and then the axioms and rules of inference. In
+		  order to concentrate on the meanings of expressions we
+		  ignore issues of concrete syntax and parsing and
+		  concentrate on specifying abstract syntax. Di#erent
+		  framework implementations provide di#erent means for
+		  customizing the parser in order to embed the desired
+		  object-language syntax. As an example throughout this
+		  chapter we consider formulations of intuitionistic and
+		  classical first-order logic. In order to keep this chapter
+		  to a manageable length, we restrict ourselves to the
+		  fragment containing implication, negation, and universal
+		  quantification. The reader is invited to test his or her
+		  understanding by extending the development to include a
+		  more complete set of connectives and quantifiers. }
+}
+
+@InProceedings{	  pfenning:hoas:1988,
+  author	= {Frank Pfenning and Conal Elliot},
+  title		= {Higher-Order Abstract Syntax},
+  year		= 1988,
+  isbn		= {0-89791-269-1},
+  location	= {Atlanta, Georgia, United States},
+  doi		= {10.1145/53990.54010},
+  pages		= {199--208},
+  acknowledgement={brucker, 2007-04-24},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  booktitle	= {Conference on Programming Language Design and
+		  Implementation (\acs{pldi})},
+  bibkey	= {pfenning:hoas:1988}
+}
+
+@InProceedings{	  boulton.ea:experience:1993,
+  crossref	= {stavridou.ea:international:1993},
+  author	= {Richard Boulton and Andrew Gordon and Michael J. C. Gordon
+		  and John Harrison and John Herbert and John Van Tassel},
+  title		= {Experience with embedding hardware description languages
+		  in {\acs{hol}}},
+  bibkey	= {boulton.ea:experience:1993},
+  abstract	= {The semantics of hardware description languages can be
+		  represented in higher order logic. This provides a formal
+		  definition that is suitable for machine processing.
+		  Experiments are in progress at Cambridge to see whether
+		  this method can be the basis of practical tools based on
+		  the HOL theorem-proving assistant. Three languages are
+		  being investigated: ELLA, Silage and VHDL. The approaches
+		  taken for these languages are compared and current progress
+		  on building semantically-based theorem-proving tools is
+		  discussed.},
+  acknowledgement={brucker, 2007-04-24},
+  pages		= {129--156}
+}
+
+@Proceedings{	  stavridou.ea:international:1993,
+  editor	= {Victoria Stavridou and Thomas F. Melham and Raymond T.
+		  Boute},
+  booktitle	= PROC # { the International Conference on Theorem
+		  Provers in Circuit Design: Theory, Practice and
+		  Experience},
+  title		= {International Conference on Theorem Provers in Circuit
+		  Design: Theory, Practice and Experience (\acs{tpcd})},
+  series	= {\acs{ifip} Transactions},
+  volume	= {A-10},
+  isbn		= {0-444-89686-4},
+  publisher	= pub-north,
+  address	= pub-north:adr,
+  date		= {22--24 June 1993},
+  acknowledgement={brucker, 2007-04-24},
+  year		= 1993
+}
+
+@InProceedings{	  khoshafian.ea:object:1986,
+  author	= {Setrag N. Khoshafian and George P. Copeland},
+  title		= {Object identity},
+  booktitle	= {Object-oriented programming systems, languages and
+		  applications (\acs{oopsla})},
+  year		= 1986,
+  isbn		= {0-89791-204-7},
+  pages		= {406--416},
+  location	= {Portland, Oregon, United States},
+  doi		= {10.1145/28697.28739},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={brucker, 2007-04-24}
+}
+
+@InProceedings{	  melham:package:1992,
+  author	= {Thomas F. Melham},
+  title		= {A Package for Inductive Relation Definitions in {\HOL}},
+  pages		= {350--357},
+  isbn		= {0-8186-2460-4},
+  editor	= {Myla Archer and Jennifer J. Joyce and Karl N. Levitt and
+		  Phillip J. Windley},
+  booktitle	= {International Workshop on the {\HOL} Theorem Proving
+		  System and its Applications (\acs{tphols})},
+  month		= aug,
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  year		= 1992,
+  acknowledgement={brucker, 2007-04-24},
+  location	= {Davis, California, \acs{usa}},
+  bibkey	= {melham:package:1992}
+}
+
+@InProceedings{	  hahnle:efficient:1994,
+  doi		= {10.1109/ismvl.1994.302195},
+  author	= {Reiner H\"{a}hnle},
+  booktitle	= {International Symposium on Multiple-Valued Logics
+		  (\acs{ismvl})},
+  location	= {Boston/MA, \acs{usa}},
+  pages		= {240--249},
+  isbn		= {0-8186-5650-6},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  title		= {Efficient Deduction in Many-Valued Logics},
+  year		= 1994,
+  abstract	= {This paper tries to identify the basic problems
+		  encountered in automated theorem proving in many-valued
+		  logics and demonstrates to which extent they can be
+		  currently solved. To this end a number of recently
+		  developed techniques are reviewed. We list the avenues of
+		  research in many-valued theorem proving that are in our
+		  eyes the most promising.},
+  acknowledgement={brucker, 2007-04-24},
+  bibkey	= {hahnle:efficient:1994}
+}
+
+@InProceedings{	  nipkow.ea:java:2000,
+  author	= {Tobias Nipkow and David von Oheimb and Cornelia Pusch},
+  title		= {{$\mu$Java}: Embedding a Programming Language in a Theorem
+		  Prover},
+  booktitle	= {Foundations of Secure Computation},
+  series	= {\acs{nato} Science Series F: Computer and Systems
+		  Sciences},
+  volume	= 175,
+  year		= 2000,
+  publisher	= pub-ios,
+  address	= pub-ios:adr,
+  isbn		= {978-1-58603-015-5},
+  editor	= {Friedrich L. Bauer and Ralf Steinbr{\"u}ggen},
+  abstract	= {This paper introduces the subset $micro$Java of Java,
+		  essentially by omitting everything but classes. The type
+		  system and semantics of this language (and a corresponding
+		  abstract Machine $micro$JVM) are formalized in the theorem
+		  prover Isabelle/\acs{hol}. Type safety both of $micro$Java
+		  and the $micro$JVM are mechanically verified.
+		  
+		  To make the paper self-contained, it starts with
+		  introductions to Isabelle/\acs{hol} and the art of
+		  embedding languages in theorem provers.},
+  pages		= {117--144},
+  acknowledgement={brucker, 2007-04-24},
+  bibkey	= {nipkow.ea:java:2000}
+}
+
+@InProceedings{	  beckert.ea:translating:2002,
+  editor	= {Serge Autexier and Heiko Mantel},
+  pages		= {113--123},
+  booktitle	= {Verification Workshop (\acs{verify})},
+  location	= {Copenhagen, Denmark},
+  author	= {Bernhard Beckert and Uwe Keller and Peter H. Schmitt},
+  title		= {Translating the {O}bject {C}onstraint {L}anguage into
+		  First-order Predicate Logic},
+  year		= 2002,
+  abstract	= {In this paper, we define a translation of \acs{uml} class
+		  diagrams with OCL constraints into first-order predicate
+		  logic. The goal is logical reasoning about \acs{uml} models.
+		  
+		  We put an emphasis on usability of the formulas resulting
+		  from the translation, and we have developed optimisations
+		  and heuristics to enhance the efficiency of the theorem
+		  proving process.
+		  
+		  The translation has been implemented as part of the KeY
+		  system, but our implementation can also be used
+		  stand-alone. },
+  acknowledgement={brucker, 2007-04-24},
+  bibkey	= {beckert.ea:translating:2002}
+}
+
+@InProceedings{	  demuth.ea:generation:2005,
+  author	= {Birgit Demuth and Heinrich Hussmann and Ansgar Konermann},
+  title		= {Generation of an {\acs{ocl}} 2.0 Parser},
+  booktitle	= {Workshop on Tool Support for \acs{ocl} and Related
+		  Formalisms---Needs and Trends},
+  location	= {Montego Bay, Jamaica, October 4, 2005},
+  pages		= {38--52},
+  publisher	= {\acs{epfl}},
+  year		= 2005,
+  editor	= {Thomas Baar},
+  series	= {Technical Report LGL-REPORT-2005-001},
+  acknowledgement={brucker, 2007-04-24}
+}
+
+@InProceedings{	  aredo:formalizing:1999,
+  author	= {Demissie B. Aredo},
+  booktitle	= {\acs{oopsla}'99 Workshop on Rigorous Modeling and Analysis
+		  with the \acs{uml}: Challenges and Limitations, Denver,
+		  Colorado},
+  title		= {Formalizing {\acs{uml}} Class Diagrams in {\acs{pvs}}},
+  year		= 1999,
+  month		= nov,
+  address	= {Denver, Colorado, \acs{usa}},
+  acknowledgement={brucker, 2007-04-24}
+}
+
+@InProceedings{	  jackson.ea:alcoa:2000,
+  abstract	= {Alcoa is a tool for analyzing object models. It has a
+		  range of uses. At one end, it can act as a support tool for
+		  object model diagrams, checking for consistency of
+		  multiplicities and generating sample snapshots. At the
+		  other end, it embodies a lightweight formal method in which
+		  subtle properties of behaviour can be investigated. Alcoa's
+		  input language, Alloy, is a new notation based on Z. Its
+		  development was motivated by the need for a notation that
+		  is more closely tailored to object models (in the style of
+		  \acs{uml}), and more amenable to automatic analysis. Like
+		  Z, Alloy supports the description of systems whose state
+		  involves complex relational structure. State and
+		  behavioural properties are described declaratively, by
+		  conjoining constraints. This makes it possible to develop
+		  and analyze a model incrementally, with Alcoa investigating
+		  the consequences of whatever constraints are given. Alcoa
+		  works by translating constraints to boolean formulas, and
+		  then applying state-of-the-art SAT solvers. It can analyze
+		  billions of states in seconds. },
+  author	= {Daniel Jackson and Ian Schechter and Ilya Shlyakhter },
+  booktitle	= {International Conference on Software Engineering
+		  (\acs{icse})},
+  language	= {USenglish},
+  month		= jun,
+  public	= {yes},
+  doi		= {10.1109/ICSE.2000.870482},
+  location	= {Limerick, Ireland},
+  isbn		= {1-58113-206-9},
+  pages		= {730--733},
+  topic		= {formalism},
+  keywords	= {Aloca, Alloy},
+  title		= {{A}lcoa: the {A}lloy Constraint Analyzer },
+  year		= 2000,
+  timestamp	= 962701274,
+  acknowledgement={none},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@Article{	  hahnle:many-valued:2005,
+  author	= {Reiner H\"{a}hnle},
+  title		= {Many-Valued Logic, Partiality, and Abstraction in Formal
+		  Specification Languages},
+  journal	= {Logic Journal of the \textsc{igpl}},
+  year		= 2005,
+  volume	= 13,
+  pages		= {415--433},
+  month		= jul,
+  doi		= {10.1093/jigpal/jzi032},
+  number	= 4,
+  acknowledgement={brucker, 2007-05-04}
+}
+
+@Booklet{	  levens.ea:jml:2007,
+  bibkey	= {levens.ea:jml:2007},
+  author	= {Gary T. Leavens and Erik Poll and Curtis Clifton and
+		  Yoonsik Cheon and Clyde Ruby and David R. Cok and Peter
+		  M\"{u}ller and Joseph Kiniry and Patrice Chalin},
+  title		= {{\acs{jml}} Reference Manual (Revision 1.2)},
+  month		= feb,
+  year		= 2007,
+  organization	= {Department of Computer Science, Iowa State University.},
+  note		= {Available from \url{http://www.jmlspecs.org}},
+  acknowledgement={brucker, 2007-04-23}
+}
+
+@InProceedings{	  broy.ea:uml2:2006,
+  bibkey	= {broy.ea:uml2:2006},
+  author	= {Manfred Broy and Michelle L. Crane and J{\"u}rgen Dingel
+		  and Alan Hartman and Bernhard Rumpe and Bran Selic},
+  title		= {2nd \acs{uml} 2 Semantics Symposium: Formal Semantics for
+		  {\acs{uml}}},
+  doi		= {10.1007/978-3-540-69489-2_39},
+  pages		= {318--323},
+  abstract	= {The purpose of this symposium, held in conjunction with
+		  \acs{models} 2006, was to present the current state of
+		  research of the UML 2 Semantics Project. Equally important
+		  to receiving feedback from an audience of experts was the
+		  opportunity to invite researchers in the field to discuss
+		  their own work related to a formal semantics for the
+		  Unified Modeling Language. This symposium is a follow-on to
+		  our first workshop, held in conjunction with ECMDA 2005.},
+  acknowledgement={brucker, 2007-04-23},
+  crossref	= {kuhne:models:2006}
+}
+
+@InProceedings{	  hafner.ea:towards:2006,
+  author	= {Michael Hafner and Muhammad Alam and Ruth Breu},
+  title		= {Towards a {MOF/QVT}-Based Domain Architecture for Model
+		  Driven Security},
+  booktitle	= {MoDELS},
+  year		= 2006,
+  pages		= {275--290},
+  ee		= {10.1007/11880240_20},
+  crossref	= {nierstrasz.ea:model:2006}
+}
+
+@Proceedings{	  kuhne:models:2006,
+  doi		= {10.1007/978-3-540-69489-2},
+  booktitle	= {Models in Software Engineering---Workshops and Symposia at
+		  \acs{models} 2006},
+  title		= {Models in Software Engineering---Workshops and Symposia at
+		  \acs{models} 2006},
+  isbn		= {978-3-540-69488-5},
+  publisher	= pub-springer,
+  paddress	= pub-springer:adr,
+  address	= {Genua, Italy},
+  volume	= 4364,
+  series	= s-lncs,
+  year		= 2006,
+  acknowledgement={brucker, 2007-04-23},
+  editor	= {Thomas K{\"u}hne}
+}
+
+@Book{		  russell:introduction:1919,
+  author	= {Bertrand Russell},
+  title		= {Introduction to Mathematical Philosophy},
+  publisher	= {George Allen \& Unwin},
+  year		= 1919,
+  acknowledgement={brucker, 2007-04-23},
+  address	= {London}
+}
+
+@Article{	  bertino.ea:trbac:2001,
+  author	= {Elisa Bertino and Piero Andrea Bonatti and Elena Ferrari},
+  title		= {TRBAC: A temporal role-based access control model},
+  journal	= {ACM Trans. Inf. Syst. Secur.},
+  volume	= 4,
+  number	= 3,
+  year		= 2001,
+  issn		= {1094-9224},
+  pages		= {191--233},
+  doi		= {10.1145/501978.501979},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-29}
+}
+
+@Article{	  moyer.ea:generalized:2001,
+  title		= {Generalized role-based access control},
+  author	= {Moyer, M.J. and Abamad, M.},
+  journal	= {Distributed Computing Systems, 2001. 21st International
+		  Conference on.},
+  year		= 2001,
+  month		= {Apr},
+  pages		= {391--398},
+  keywords	= {authorisation, distributed processing, transaction
+		  processingGRBAC, JPEG, RBAC, access control, access control
+		  decisions, access control models, environment roles,
+		  environmental information, expressive power, generalized
+		  role based access control, object roles, object type, rich
+		  access control policies, security policy, security-relevant
+		  characteristics, sensitivity level, subject roles},
+  doi		= {10.1109/ICDSC.2001.918969},
+  abstract	= {Generalized Role-Based Access Control (GRBAC) is a new
+		  paradigm for creating and maintaining rich access control
+		  policies. GRBAC leverages and extends the power of
+		  traditional role based access control (RBAC) by
+		  incorporating subject roles, object roles and environment
+		  roles into access control decisions. Subject roles are like
+		  traditional RBAC roles: they abstract the security-relevant
+		  characteristics of subjects into categories that can be
+		  used in defining a security policy. Similarly, object roles
+		  abstract the various properties of objects, such as object
+		  type (e.g., text, JPEG, executable) or sensitivity level
+		  (e.g., classified, top secret) into categories. Environment
+		  roles capture environmental information, such as time of
+		  day or system load so it can be used to mediate access
+		  control. Together, these three types of roles offer
+		  flexibility and expressive power, as well as a degree of
+		  usability not found in current access control models},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-29}
+}
+
+@InProceedings{	  zhang.ea:role-based:2002,
+  author	= {Longhua Zhang and Gail-Joon Ahn and Bei-Tseng Chu},
+  title		= {A role-based delegation framework for healthcare
+		  information systems},
+  booktitle	= PROC # { the seventh \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2002,
+  isbn		= {1-58113-496-7},
+  pages		= {125--134},
+  location	= {Monterey, California, \acs{usa}},
+  doi		= {10.1145/507711.507731},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {As organizations implement information strategies that
+		  call for sharing access to resources in the networked
+		  environment, mechanisms must be provided to protect the
+		  resources from adversaries. The proposed delegation
+		  framework addresses the issue of how to advocate selective
+		  information sharing in role-based systems while minimizing
+		  the risks of unauthorized access. We introduce a systematic
+		  approach to specify delegation and revocation policies
+		  using a set of rules. We demonstrate the feasibility of our
+		  framework through policy specification, enforcement, and a
+		  proof-of-concept implementation on specific domains, e.g.
+		  the healthcare environment. We believe that our work can be
+		  applied to organizations that rely heavily on collaborative
+		  tasks.},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-29}
+}
+
+@InProceedings{	  wilikens.ea:context-related:2002,
+  author	= {Marc Wilikens and Simone Feriti and Alberto Sanna and
+		  Marcelo Masera},
+  title		= {A context-related authorization and access control method
+		  based on \acs{rbac}: A case study from the health care
+		  domain},
+  booktitle	= PROC # { the seventh \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2002,
+  isbn		= {1-58113-496-7},
+  pages		= {117--124},
+  location	= {Monterey, California, USA},
+  doi		= {10.1145/507711.507730},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {This paper describes an application of authorization and
+		  access control based on the Role Based Access Control
+		  (RBAC) method and integrated in a comprehensive trust
+		  infrastructure of a health care application. The method is
+		  applied to a health care business process that involves
+		  multiple actors accessing data and resources needed for
+		  performing clinical and logistics tasks in the application.
+		  The notion of trust constituency is introduced as a concept
+		  for describing the context of authorisation. In addition,
+		  the applied RBAC covers time constraints, hierarchies and
+		  multi-level authorization rules for coping with the
+		  multi-actor nature and the complexity of the application
+		  domain. The DRIVE RBAC model clearly distinguishes between
+		  static role assignment to users and dynamic allocation of
+		  roles at session time. The paper, while focusing on the
+		  authorization and access control approach, also describes
+		  how the RBAC functions have been integrated in a trust
+		  infrastructure including smart cards.},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-29}
+}
+
+@InProceedings{	  ahn.ea:towards:2007,
+  author	= {Gail-Joon Ahn and Hongxin Hu},
+  title		= {Towards realizing a formal \acs{rbac} model in real
+		  systems},
+  booktitle	= PROC # { the seventh \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2007,
+  isbn		= {978-1-59593-745-2},
+  pages		= {215--224},
+  location	= {Sophia Antipolis, France},
+  doi		= {10.1145/1266840.1266875},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {There still exists an open question on how formal models
+		  can be fully realized in the system development phase. The
+		  Model Driven Development (MDD) approach has been recently
+		  introduced to deal with such a critical issue for building
+		  high assurance software systems.
+		  
+		  There still exists an open question on how formal models
+		  can be fully realized in the system development phase. The
+		  Model Driven Development (MDD) approach has been recently
+		  introduced to deal with such a critical issue for building
+		  high assurance software systems.
+		  
+		  The MDD approach focuses on the transformation of
+		  high-level design models to system implementation modules.
+		  However, this emerging development approach lacks an
+		  adequate procedure to address security issues derived from
+		  formal security models. In this paper, we propose an
+		  empirical framework to integrate security model
+		  representation, security policy specification, and
+		  systematic validation of security model and policy, which
+		  would be eventually used for accommodating security
+		  concerns during the system development. We also describe
+		  how our framework can minimize the gap between security
+		  models and the development of secure systems. In addition,
+		  we overview a proof-of-concept prototype of our tool that
+		  facilitates existing software engineering mechanisms to
+		  achieve the above-mentioned features of our framework.},
+  tags		= {noTAG},
+  clearance	= {unclassified},
+  timestap	= {2008-05-29}
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%% un-checked entries
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+@Book{		  woodcock.ea:using:1996,
+  abstract	= {This book contains enough material for three complete
+		  courses of study. It provides an introduction to the world
+		  of logic, sets and relations. It explains the use of the
+		  Znotation in the specification of realistic systems. It
+		  shows how Z specifications may be refined to produce
+		  executable code; this is demonstrated in a selection of
+		  casestudies.This book is both authoritative and
+		  comprehensive. It strikes the right balance between the
+		  formality of mathematics and the practical needs of
+		  industrial softwaredevelopment. It is faithful to the draft
+		  ISO standard for Z. It covers the essentials of
+		  specification, refinement, and proof, revealing techniques
+		  never previouslypublished.},
+  author	= {Jim Woodcock and Jim Davies},
+  price		= {\$37.95},
+  length	= 391,
+  isbn		= {0-13-948472-8},
+  language	= {USenglish},
+  public	= {yes},
+  publisher	= {Prentice Hall},
+  title		= {Using {Z}: {S}pecification, {R}efinement, and {P}roof},
+  series	= {Prentice Hall International Series in Computer Science},
+  topic		= {formalism},
+  keywords	= {formal methods, Z},
+  library	= {FAW (25/91): 91: CD/3.2/125},
+  url		= {http://softeng.comlab.ox.ac.uk/usingz/},
+  year		= 1996,
+  timestamp	= 962966715,
+  acknowledgement={none},
+  bibkey	= {woodcock.ea:using:1996}
+}
+
+@InProceedings{	  dick.ea:testing:1993,
+  bibkey	= {dick.ea:testing:1993},
+  author	= {Jeremy Dick and Alain Faivre},
+  title		= {Automating the Generation and Sequencing of Test Cases
+		  from Model-Based Specications},
+  pages		= {268--284},
+  booktitle	= {Formal Methods Europe 93: Industrial-Strength Formal
+		  Methods},
+  editor	= {J.C.P. Woodcock and P.G. Larsen},
+  month		= apr,
+  year		= 1993,
+  volume	= 670,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={none}
+}
+
+@Article{	  grieskamp.ea:instrumenting:2004,
+  author	= {Wolfgang Grieskamp and Nikolai Tillmann and Margus
+		  Veanes},
+  booktitle	= {Third International Conference on Quality Software: QSIC
+		  2003},
+  title		= {Instrumenting scenarios in a model-driven development
+		  environment},
+  journal	= {Information and Software Technology},
+  year		= 2004,
+  number	= 15,
+  volume	= 46,
+  pages		= {1027--1036},
+  doi		= {10.1016/j.infsof.2004.07.007},
+  abstract	= {SpecExplorer is an integrated environment for model-driven
+		  development of .NET software. In this paper we discuss how
+		  scenarios can be described in SpecExplorer's modeling
+		  language, Spec#, and how the SpecExplorer tool can be used
+		  to validate those scenarios by various means.},
+  acknowledgement={none},
+  bibkey	= {grieskamp.ea:instrumenting:2004}
+}
+
+@Book{		  abrial:event-b:2009,
+  bibkey	= {abrial:event-b:2009},
+  title		= {Modeling in Event-B: System and Software Design},
+  publisher	= {Cambridge University Press},
+  year		= 2009,
+  author	= {Jean-Raymond Abrial},
+  acknowledgement={none},
+  address	= {New York, \acs{ny}, \acs{usa}}
+}
+
+@Book{		  abrial:b-book:1996,
+  bibkey	= {abrial:b-book:1996},
+  author	= {Jean-Raymond Abrial},
+  title		= {The {B-Book}: assigning programs to meanings},
+  year		= 1996,
+  isbn		= {0-521-49619-5},
+  publisher	= {Cambridge University Press},
+  acknowledgement={none},
+  address	= {New York, \acs{ny}, \acs{usa}}
+}
+
+@TechReport{	  leino.ea:escjava:2000,
+  abstract	= {The Compaq Extended Static Checker for Java (ESC/Java) is
+		  a programming tool that attempts to find common run-time
+		  errors in Java programs by static analysis of the program
+		  text. Users can control the amount and kinds of checking
+		  that ESC/Java performs by annotating their programs with
+		  specially formatted comments called pragmas. This manual is
+		  designed to serve both as an introduction to ESC/Java and
+		  as a reference manual. It starts by providing an overview
+		  of ESC/Java through an illustrative example of its use and
+		  a summary of its features, and then goes on to document all
+		  the pragmas supported by ESC/Java and all the kinds of
+		  warnings that it generates. Appendices provide a brief
+		  sketch of ESC/Java's implementation, information about
+		  obtaining ESC/Java, and some discussion of its
+		  limitations},
+  author	= {K. Rustan M. Leino and Greg Nelson and James B. Saxe},
+  institution	= {Compaq Systems Research Center},
+  language	= {USenglish},
+  month		= oct,
+  public	= {yes},
+  title		= {{\acs{esc}}/{Java} User's Manual},
+  url		= {http://gatekeeper.dec.com/pub/DEC/SRC/technical-notes/abstracts/src-tn-2000-002.html}
+		  ,
+  number	= {SRC-2000-002},
+  year		= 2000,
+  keywords	= {Java},
+  topic		= {tools},
+  acknowledgement={none},
+  bibkey	= {leino.ea:escjava:2000}
+}
+
+@Book{		  kleppe.ea:mda:2003,
+  bibkey	= {kleppe.ea:mda:2003},
+  title		= {\acs{mda} Explained. The Model Driven Architecture:
+		  Practice and Promise},
+  acknowledgement={none},
+  publisher	= {Addison-Wesley},
+  year		= 2003,
+  author	= {Anneke Kleppe and Jos Warmer and Wim Bast}
+}
+
+@Article{	  schmidt:mde:2006,
+  author	= {Douglas C. Schmidt},
+  title		= {Guest Editor's Introduction: Model-Driven Engineering},
+  journal	= {Computer},
+  volume	= 39,
+  number	= 2,
+  acknowledgement={none},
+  year		= 2006,
+  issn		= {0018-9162},
+  pages		= {25--31},
+  doi		= {10.1109/MC.2006.58},
+  publisher	= {IEEE Computer Society},
+  address	= {Los Alamitos, \acs{ca}, \acs{usa}}
+}
+
+@InCollection{	  gaudel:testing:1995,
+  author	= {Marie Claude Gaudel},
+  title		= {Testing can be formal, too},
+  year		= 1995,
+  booktitle	= {\textsc{tapsoft}'95: Theory and Practice of Software
+		  Development},
+  isbn		= {3-540-59293-8},
+  address	= pub-springer:adr,
+  paddress	= {Heidelberg, Germany},
+  pages		= {82--96},
+  publisher	= pub-springer,
+  series	= s-lncs,
+  number	= 915,
+  editor	= {Peter D. Mosses and Mogens Nielsen and Michael I.
+		  Schwartzbach},
+  acknowledgement={none},
+  bibkey	= {gaudel:testing:1995}
+}
+
+@InProceedings{	  jurjens.ea:specification-based:2001,
+  author	= {Jan J{\"u}rjens and Guido Wimmel},
+  title		= {Specification-Based Testing of Firewalls},
+  booktitle	= {Ershov Memorial Conference},
+  year		= 2001,
+  pages		= {308--316},
+  crossref	= {bjorner.ea:perspectives:2001},
+  acknowledgement={none}
+}
+
+@Proceedings{	  bjorner.ea:perspectives:2001,
+  editor	= {Dines Bj{\o}rner and Manfred Broy and Alexandre V.
+		  Zamulin},
+  title		= {Perspectives of System Informatics, 4th International
+		  Andrei Ershov Memorial Conference, PSI 2001, Akademgorodok,
+		  Novosibirsk, Russia, July 2-6, 2001, Revised Papers},
+  booktitle	= {Ershov Memorial Conference},
+  publisher	= pub-springer,
+  adress	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2244,
+  year		= 2001,
+  isbn		= {3-540-43075-X},
+  acknowledgement={none}
+}
+
+@incollection{Tuong-IsabelleC:2019,
+  address = {Heidelberg},
+  author = {Fr\'ederic Tuong and Burkhart Wolff},
+  booktitle = {International Workshop on Formal Integrated Development Environments (F-IDE)},
+  doi = {10.4204/EPTCS.310.3},
+  keywords = {Isabelle, HOL, C11, Program Verification, Program Testing},
+  language = {USenglish},
+  location = {Porto, Protogal},
+  number = {314},
+  pdf = {https://www.lri.fr/~wolff/papers/conf/2019-fide-isabelle_c.pdf},
+  publisher = {Open Publishing Association},
+  series = {Electronic Proceedings in Theoretical Computer Science (EPTCS)},
+  title = {{D}eeply {I}ntegrating {C11} {C}ode {S}upport into {I}sabelle/{PIDE}},
+  year = {2019}
+}
+
+
+@InProceedings{	  bishop.ea:rigorous:2005,
+  author	= {Steve Bishop and Matthew Fairbairn and Michael Norrish and
+		  Peter Sewell and Michael Smith and Keith Wansbrough},
+  title		= {Rigorous specification and conformance testing techniques
+		  for network protocols, as applied to TCP, UDP, and
+		  sockets},
+  booktitle	= {SIGCOMM},
+  year		= 2005,
+  pages		= {265--276},
+  doi		= {10.1145/1080091.1080123},
+  crossref	= {guerin.ea:proceedings:2005},
+  acknowledgement={none}
+}
+
+@Proceedings{	  guerin.ea:proceedings:2005,
+  editor	= {Roch Gu{\'e}rin and Ramesh Govindan and Greg Minshall},
+  title		= PROC # { the ACM SIGCOMM 2005 Conference on
+		  Applications, Technologies, Architectures, and Protocols
+		  for Computer Communications, Philadelphia, Pennsylvania,
+		  \acs{usa}, August 22-26, 2005},
+  booktitle	= {SIGCOMM},
+  publisher	= pub-acm,
+  adress	= pub-acm:adr,
+  year		= 2005,
+  isbn		= {1-59593-009-4},
+  acknowledgement={none}
+}
+
+@InProceedings{	  senn.ea:firewall:2005,
+  abstract	= {Firewalls are widely used to protect networks from
+		  unauthorised access. To ensure that they implement an
+		  organisation's security policy correctly, they need to be
+		  tested. We present an approach that addresses this problem.
+		  Namely, we show how an organisation's network security
+		  policy can be formally specified in a high-level way, and
+		  how this specification can be used to automatically
+		  generate test cases to test a deployed system. In contrast
+		  to other firewall testing methodologies, such as
+		  penetration testing, our approach tests conformance to a
+		  specified policy. Our test cases are organisation-specific
+		  --- i.e.~they depend on the security requirements and on
+		  the network topology ofan organisation --- and can uncover
+		  errors both in the firewall products themselves and in
+		  their configuration.},
+  author	= {Diana Senn and David A. Basin and Germano Caronni},
+  booktitle	= {TestCom 2005},
+  editor	= {Ferhat Khendek and Rachida Dssouli},
+  isbn		= {3-540-26054-4},
+  language	= {UKenglish},
+  month		= {May},
+  pages		= {226--241},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  title		= {Firewall Conformance Testing},
+  volume	= 3502,
+  year		= 2005,
+  acknowledgement={none}
+}
+
+@PhDThesis{	  bidder:specification:2007,
+  author	= {Diana von Bidder},
+  title		= {Specification-based Firewall Testing},
+  school	= {ETH Zurich},
+  year		= 2007,
+  public	= {yes},
+  type		= {Ph.D. Thesis},
+  acknowledgement={none},
+  classification= {thesis},
+  note		= {\acs{eth} Dissertation No. 17172. Diana von Bidder's
+		  maiden name is Diana Senn.}
+}
+
+@InCollection{    wenzel.ea:building:2007,
+  abstract      = {We present the generic system framework of
+                  Isabelle/Isarunderlying recent versions of Isabelle. Among
+                  other things, Isar provides an infrastructure for Isabelle
+                  plug-ins, comprising extensible state components and
+                  extensible syntax that can be bound to tactical ML
+                  programs. Thus the Isabelle/Isar architecture may be
+                  understood as an extension and refinement of the
+                  traditional LCF approach, with explicit infrastructure for
+                  building derivative systems. To demonstrate the technical
+                  potential of the framework, we apply it to a concrete
+                  formalmethods tool: the HOL-Z 3.0 environment, which is
+                  geared towards the analysis of Z specifications and formal
+                  proof of forward-refinements.},
+  author        = {Makarius Wenzel and Burkhart Wolff},
+  booktitle     = {TPHOLs 2007},
+  editor        = {Klaus Schneider and Jens Brandt},
+  language      = {USenglish},
+  acknowledgement={none},
+  pages         = {352--367},
+  publisher     = pub-springer,
+  address       = pub-springer:adr,
+  number        = 4732,
+  series        = s-lncs,
+  title         = {Building Formal Method Tools in the {Isabelle}/{Isar}
+                  Framework},
+  doi           = {10.1007/978-3-540-74591-4_26},
+  year          = 2007
+}
+
+@Article{	  igarashi.ea:featherweight:2001,
+  author	= {Atsushi Igarashi and Benjamin C. Pierce and Philip
+		  Wadler},
+  title		= {{Featherweight Java}: a minimal core calculus for {Java}
+		  and {\acs{gj}}},
+  journal	= j-toplas,
+  volume	= 23,
+  number	= 3,
+  year		= 2001,
+  issn		= {0164-0925},
+  pages		= {396--450},
+  doi		= {10.1145/503502.503505},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  abstract	= {Several recent studies have introduced lightweight
+		  versions of Java: reduced languages in which complex
+		  features like threads and reflection are dropped to enable
+		  rigorous arguments about key properties such as type
+		  safety. We carry this process a step further, omitting
+		  almost all features of the full language (including
+		  interfaces and even assignment) to obtain a small calculus,
+		  Featherweight Java, for which rigorous proofs are not only
+		  possible but easy. Featherweight Java bears a similar
+		  relation to Java as the lambda-calculus does to languages
+		  such as ML and Haskell. It offers a similar computational
+		  "feel," providing classes, methods, fields, inheritance,
+		  and dynamic typecasts with a semantics closely following
+		  Java's. A proof of type safety for Featherweight Java thus
+		  illustrates many of the interesting features of a safety
+		  proof for the full language, while remaining pleasingly
+		  compact. The minimal syntax, typing rules, and operational
+		  semantics of Featherweight Java make it a handy tool for
+		  studying the consequences of extensions and variations. As
+		  an illustration of its utility in this regard, we extend
+		  Featherweight Java with generic classes in the style of GJ
+		  (Bracha, Odersky, Stoutamire, and Wadler) and give a
+		  detailed proof of type safety. The extended system
+		  formalizes for the first time some of the key features of
+		  GJ. },
+  bibkey	= {igarashi.ea:featherweight:2001}
+}
+
+@Article{	  zhu.ea:software:29-4,
+  title		= {Software Unit Test Coverage and Adequacy},
+  author	= {Hong Zhu and Patrick A.V. Hall and John H. R. May},
+  journal	= {ACM Computing Surveys},
+  issn		= {0360-0300},
+  volume	= 29,
+  url		= {http://www.cs.bris.ac.uk/Tools/Reports/Abstracts/1997-zhu.html}
+		  ,
+  number	= 4,
+  language	= {USenglish},
+  pages		= {366--427},
+  month		= dec,
+  keywords	= {Safety_Critical_Systems},
+  year		= 1997,
+  abstract	= {Objective measurement of test quality is one of the key
+		  issues in software testing. It has been a major research
+		  focus for the last two decades. Many test criteria have
+		  been proposed and studied for this purpose. Various kinds
+		  of rationale have been presented in support of one
+		  criterion or another. This paper surveys the research work
+		  in this area. The notion of adequacy criteria is examined
+		  together with its role in software dynamic testing. A
+		  review of criteria classification is followed by a summary
+		  of the methods for comparison and assessment of criteria.},
+  acknowledgement={none},
+  bibkey	= {zhu.ea:software:29-4}
+}
+
+@PhDThesis{	  wenzel:isabelleisar:2002,
+  author	= {Markus M. Wenzel},
+  title		= {Isabelle/Isar --- a versatile environment for
+		  human-readable formal proof documents},
+  school	= {TU M{\"u}nchen},
+  year		= 2002,
+  url		= {http://tumb1.biblio.tu-muenchen.de/publ/diss/in/2002/wenzel.html}
+		  ,
+  abstract	= {The basic motivation of this work is to make formal theory
+		  developments with machine-checked proofs accessible to a
+		  broader audience. Our particular approach is centered
+		  around the Isar formal proof language that is intended to
+		  support adequate composition of proof documents that are
+		  suitable for human consumption. Such primary proofs written
+		  in Isar may be both checked by the machine and read by
+		  human-beings; final presentation merely involves trivial
+		  pretty printing of the sources. Sound logical foundations
+		  of Isar are achieved by interpretation within the generic
+		  Natural Deduction framework of Isabelle, reducing all
+		  high-level reasoning steps to primitive inferences.
+		  
+		  The resulting Isabelle/Isar system is generic with respect
+		  to object-logics and proof tools, just as pure Isabelle
+		  itself. The full Isar language emerges from a small core by
+		  means of several derived elements, which may be combined
+		  freely with existing ones. This results in a very rich
+		  space of expressions of formal reasoning, supporting many
+		  viable proof techniques. The general paradigms of Natural
+		  Deduction and Calculational Reasoning are both covered
+		  particularly well. Concrete examples from logic,
+		  mathematics, and computer-science demonstrate that the Isar
+		  concepts are indeed sufficiently versatile to cover a broad
+		  range of applications.},
+  address	= {M{\"u}nchen},
+  month		= feb,
+  acknowledgement={none},
+  bibkey	= {wenzel:isabelleisar:2002}
+}
+
+@InProceedings{	  frantzen.ea:test:2004,
+  author	= {L. Frantzen and J. Tretmans and T.A.C. Willemse},
+  title		= {Test Generation Based on Symbolic Specifications},
+  booktitle	= {FATES 2004},
+  year		= 2004,
+  month		= sep,
+  abstract	= {Classical state-oriented testing approaches are based on
+		  sim- ple machine models such as Labelled Transition Systems
+		  (LTSs), in which data is represented by concrete values. To
+		  implement these theories, data types which have infinite
+		  universes have to be cut down to infinite vari- ants, which
+		  are subsequently enumerated to fit in the model. This leads
+		  to an explosion of the state space. Moreover, exploiting
+		  the syntactical and/or semantical information of the
+		  involved data types is non-trivial after enumeration. To
+		  overcome these problems, we lift the family of test- ing
+		  relations iocoF to the level of Symbolic Transition Systems
+		  (STSs). We present an algorithm based on STSs, which
+		  generates and executes tests on-the-fly on a given system.
+		  It is sound and complete for the ioco F testing
+		  relations.},
+  acknowledgement={none},
+  bibkey	= {frantzen.ea:test:2004}
+}
+
+@Book{		  dagostino.ea:handbook:1996,
+  title		= {Handbook of Tableau Methods},
+  editor	= {Marcello D'Agostino and Dov Gabbay and Reiner H\"ahnle and
+		  Joachim Posegga},
+  publisher	= {Kluwer, Dordrecht},
+  year		= 1996,
+  isbn		= {0-7923-5627-6},
+  acknowledgement={none},
+  bibkey	= {dagostino.ea:handbook:1996}
+}
+
+@Article{	  visser.ea:test:2004,
+  author	= {Willem Visser and Corina S. P\u{a}s\u{a}reanu and Sarfraz
+		  Khurshid},
+  title		= {Test input generation with {Java} {PathFinder}},
+  journal	= {SIGSOFT Softw. Eng. Notes},
+  volume	= 29,
+  number	= 4,
+  year		= 2004,
+  issn		= {0163-5948},
+  pages		= {97--107},
+  doi		= {10.1145/1013886.1007526},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {visser.ea:test:2004}
+}
+
+@InProceedings{	  pons.ea:practical:2006,
+  author	= {Claudia Pons and Diego Garcia},
+  title		= {Practical Verification Strategy for Refinement Conditions
+		  in \acs{uml} Models},
+  booktitle	= {IFIP Workshop on Advanced Software Engineering},
+  year		= 2006,
+  pages		= {47--61},
+  doi		= {10.1007/978-0-387-34831-5_4},
+  crossref	= {ochoa.ea:ifip:2006}
+}
+
+@Proceedings{	  ochoa.ea:ifip:2006,
+  editor	= {Sergio F. Ochoa and Gruia-Catalin Roman},
+  title		= {IFIP 19th World Computer Congress, First International
+		  Workshop on Advanced Software Engineering, Expanding the
+		  Frontiers of Software Technology, August 25, 2006,
+		  Santiago, Chile},
+  booktitle	= {IFIP Workshop on Advanced Software Engineering},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= {IFIP},
+  volume	= 219,
+  year		= 2006,
+  isbn		= {978-0-387-34828-5}
+}
+
+@Misc{		  clearsy:atelier-b:2008,
+  author	= {{Clearsy Inc.}},
+  title		= {{Atelier B}},
+  year		= 2008,
+  note		= {\url{http://www.atelierb.eu/}}
+}
+
+@Book{		  beckert.ea:key:2007,
+  editor	= {Bernhard Beckert and Reiner H\"ahnle and Peter H. Schmitt},
+  title		= {Verification of Object-Oriented Software: The {\KeY}
+		  Approach},
+  volume	= 4334,
+  series	= s-lncs,
+  doi		= {10.1007/978-3-540-69061-0},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  year		= 2007
+}
+
+@InProceedings{	  rudich.ea:checking:2008,
+  author	= {Arsenii Rudich and {\'A}d{\'a}m Darvas and Peter M{\"u}ller},
+  title		= {Checking Well-Formedness of Pure-Method Specifications},
+  booktitle	= {FM},
+  year		= 2008,
+  pages		= {68--83},
+  ee		= {http://dx.doi.org/10.1007/978-3-540-68237-0_7},
+  crossref	= {cuellar.ea:fm:2008}
+}
+
+@Proceedings{	  cuellar.ea:fm:2008,
+  editor	= {Jorge Cu{\'e}llar and T. S. E. Maibaum and Kaisa Sere},
+  title		= {FM 2008: Formal Methods, 15th International Symposium on
+		  Formal Methods, Turku, Finland, May 26-30, 2008,
+		  Proceedings},
+  booktitle	= {FM},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 5014,
+  year		= 2008,
+  isbn		= {978-3-540-68235-6}
+}
+
+@InProceedings{	  ledang:b-based:2004,
+  author	= {Hung Ledang},
+  title		= {B-based Conistency Checking of UML Diagrams},
+  booktitle	= PROC # { ICT/RDA2004 : the 2nd National Symposium on
+		  Research, Development and Application of Information and
+		  Communication TechnologyAIR'2005},
+  year		= 2004,
+  publisher	= {Science and Techniques Publisher}
+}
+
+@InProceedings{	  krieger.ea:executing,
+  author	= {Matthias P. Krieger and Alexander Knapp.},
+  title		= {Executing Underspecified OCL Operation Contracts with a
+		  SAT Solver},
+  booktitle	= PROC # { the OCL 2008 Workshop},
+  editor	= {to appear},
+  note		= {\url{http://www.fots.ua.ac.be/events/ocl2008/}}
+}
+
+@InProceedings{	  tretmans.ea:cote:2002,
+  author	= {Jan Tretmans and Edsgar Brinksma},
+  title		= {C\^ote de Resyste --- Automated Model Based Testing},
+  booktitle	= {Progress 2002 --- 3rd Workshop on Embedded Systems},
+  pages		= {246--255},
+  year		= 2002
+}
+
+@Article{	  tretmans:test:1996,
+  author	= {Jan Tretmans},
+  title		= {Test Generation with Inputs, Outputs and Repetitive
+		  Quiescence},
+  journal	= {Software --- Concepts and Tools},
+  year		= 1996,
+  volume	= 17,
+  number	= 3,
+  pages		= {103--120}
+}
+
+@Article{	  jard.ea:tgv:2005,
+  author	= {C. Jard and T. J\'eron},
+  title		= {TGV: Theory, Principles and Algorithms},
+  journal	= {Software Tools for Technology Transfer},
+  year		= 2005,
+  volume	= 7,
+  number	= 4,
+  pages		= {297--315}
+}
+
+@InProceedings{	  clarke.ea:stg:2002,
+  author	= {D. Clarke and T. J\'eron and V. Rusu and E. Zinovieva},
+  title		= {STG: A Symbolic Test Generation Tool},
+  pages		= {470--475},
+  year		= 2002,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= {2280}
+}
+
+@InProceedings{	  koch.ea:autolink:1998,
+  author	= {B. Koch and J. Grabowski and D. Hogrefe and M. Schmitt},
+  title		= {AutoLink --- a Tool for Automatic Test Generation from SDL
+		  Specifications},
+  booktitle	= {Proc. IEEE Intl. Workshop on Industrial Strength Formal
+		  Specification Techniques (WIFT 1998)},
+  pages		= {114--127},
+  year		= 1998
+}
+
+@InProceedings{	  bouquet.ea:mastering:2004,
+  author	= {F. Bouquet and B. Legeard and F. Peureux and E.
+		  Torreborre},
+  title		= {Mastering Test Generation from Smart Card Software Formal
+		  Models},
+  booktitle	= {Proc. Intl. Workshop on Construction and Analysis of Safe,
+		  Secure and Interoperable Smart devices},
+  pages		= {70--85},
+  year		= 2004,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= {3362}
+}
+
+@InProceedings{	  prowell:tool:2003,
+  author	= {S. Prowell},
+  title		= {A Tool for Model-based Statistical Testing},
+  booktitle	= {Proc. HICSS'03, IEEE},
+  pages		= {337.3},
+  year		= 2003
+}
+
+@Article{	  walton.ea:generating:2000,
+  author	= {G. Walton and J. Poore},
+  title		= {Generating transition probabilities to support model-based
+		  software testing},
+  journal	= {Software: Practice and Experience},
+  year		= 2000,
+  volume	= 30,
+  number	= 10,
+  pages		= {1095--1106}
+}
+
+@Article{	  cohen.ea:aetg:1997,
+  author	= {D. Cohen and S. Dalal and M. Fredman and G. Patton},
+  title		= {The AETG System: An approach to testing Based on
+		  Combinatorial Design},
+  journal	= {IEEE Transactions on Software Engineering},
+  year		= 1997,
+  volume	= 23,
+  number	= 7
+}
+
+@InProceedings{	  bohme.ea:hol-boogie:2008,
+  author	= {Sascha B{\"o}hme and K. Rustan M. Leino and Burkhart
+		  Wolff},
+  title		= {{\acs{hol}-Boogie}---An Interactive Prover for the
+		  {Boogie} Program-Verifier},
+  booktitle	= {Theorem Proving in Higher Order Logics},
+  year		= 2008,
+  pages		= {150--166},
+  doi		= {10.1007/978-3-540-71067-7_15},
+  crossref	= {otmane.ea:tphols:2008}
+}
+
+@Proceedings{	  otmane.ea:tphols:2008,
+  editor	= {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and
+		  Sofi{\`e}ne Tahar},
+  title		= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  booktitle	= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  location	= {Montreal, Canada},
+  month		= aug,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5170,
+  year		= 2008,
+  isbn		= {978-3-540-71065-3}
+}
+
+@InProceedings{	  huisman.ea:inheritance:2000,
+  author	= {Marieke Huisman and Bart Jacobs},
+  title		= {Inheritance in Higher Order Logic: Modeling and
+		  Reasoning},
+  doi		= {10.1007/3-540-44659-1_19},
+  year		= 2000,
+  pages		= {301--319},
+  crossref	= {aagaard.ea:tphols:2000}
+}
+
+@Proceedings{	  aagaard.ea:tphols:2000,
+  editor	= {Mark Aagaard and John Harrison},
+  location	= {Portland, Oregon, USA},
+  month		= aug,
+  title		= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  booktitle	= {Theorem Proving in Higher Order Logics (\acs{tphols})},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1869,
+  year		= 2000,
+  isbn		= {3-540-67863-8}
+}
+
+@Book{		  roscoe:csp:1998,
+  author	= {A.W. Roscoe},
+  title		= {Theory and Practice of Concurrency},
+  publisher	= {Prentice Hall},
+  year		= 1997,
+  isbn		= {0-13-674409-5}
+}
+
+@article{DBLP:journals/afp/Noce16,
+  author    = {Pasquale Noce},
+  title     = {Conservation of {CSP} Noninterference Security under Sequential Composition},
+  journal   = {Archive of Formal Proofs},
+  year      = {2016},
+  url       = {https://www.isa-afp.org/entries/Noninterference\_Sequential\_Composition.shtml},
+  timestamp = {Mon, 07 Jan 2019 11:16:33 +0100},
+  biburl    = {https://dblp.org/rec/bib/journals/afp/Noce16},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@article{IsobeRoggenbach2010,
+  title={CSP-Prover: a Proof Tool for the Verification of Scalable Concurrent Systems},
+  author={Yoshinao Isobe and Markus Roggenbach},
+  journal={Information and Media Technologies},
+  volume={5},
+  number={1},
+  pages={32-39},
+  year={2010},
+  doi={10.11185/imt.5.32}
+}
+
+
+
+@Article{	  foster:error:1980,
+  title		= {Error Sensitive Test Cases Analysis (ESTCA)},
+  author	= {Foster, K.A.},
+  journal	= {Software Engineering, IEEE Transactions on},
+  year		= 1980,
+  month		= {May},
+  volume	= {SE-6},
+  number	= 3,
+  pages		= {258--264},
+  abstract	= {A hardware failure analysis technique adapted to software
+		  yielded three rules for generating test cases sensitive to
+		  code errors. These rules, and a procedure for generating
+		  these cases, are given with examples. Areas for further
+		  study are recommended.},
+  keywords	= {null Program correctness, progran testing, software
+		  errors, software reliability, test data generation},
+  issn		= {0098-5589}
+}
+
+@Book{		  myers.ea:art:2004,
+  author	= {Glenford J. Myers and Corey Sandler},
+  title		= {The Art of Software Testing},
+  year		= 2004,
+  isbn		= 0471469122,
+  publisher	= {John Wiley \& Sons}
+}
+
+@InProceedings{	  tillmann.ea:pex:2008,
+  author	= {Nikolai Tillmann and Jonathan de Halleux},
+  title		= {{Pex}---White Box Test Generation for {.NET}},
+  booktitle	= {TAP},
+  year		= 2008,
+  pages		= {134-153},
+  doi		= {10.1007/978-3-540-79124-9_10},
+  crossref	= {beckert.ea:tests:2008},
+  abstract	= {Pex automatically produces a small test suite with high
+		  code coverage for a .NET program. To this end, Pex performs
+		  a systematic program analysis (using dynamic symbolic
+		  execution, similar to path-bounded model-checking) to
+		  determine test inputs for Parameterized Unit Tests. Pex
+		  learns the program behavior by monitoring execution traces.
+		  Pex uses a constraint solver to produce new test inputs
+		  which exercise different program behavior. The result is an
+		  automatically generated small test suite which often
+		  achieves high code coverage. In one case study, we applied
+		  Pex to a core component of the .NET runtime which had
+		  already been extensively tested over several years. Pex
+		  found errors, including a serious issue.}
+}
+
+@InProceedings{	  halleux.ea:parameterized:2008,
+  author	= {Jonathan de Halleux and Nikolai Tillmann},
+  title		= {Parameterized Unit Testing with {Pex}},
+  booktitle	= {TAP},
+  year		= 2008,
+  pages		= {171--181},
+  doi		= {10.1007/978-3-540-79124-9_12},
+  crossref	= {beckert.ea:tests:2008},
+  abstract	= {This hands-on tutorial will teach the principles of
+		  Parameterized Unit Testing [5,4] with Pex [2], an automatic
+		  test input generator for .NET which performs a systematic
+		  program analysis, similar to path bounded model-checking. A
+		  parameterized unit test is simply a method that takes
+		  parameters, calls the code under test, and states
+		  assertions.}
+}
+
+@Proceedings{	  beckert.ea:tests:2008,
+  editor	= {Bernhard Beckert and Reiner H{\"a}hnle},
+  title		= {Tests and Proofs, Second International Conference, TAP
+		  2008, Prato, Italy, April 9-11, 2008. Proceedings},
+  booktitle	= {TAP},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 4966,
+  year		= 2008,
+  isbn		= {978-3-540-79123-2}
+}
+
+%%%%%%
+@InProceedings{	  povey:enforcing:1999,
+  author	= {Dean Povey},
+  title		= {Enforcing well-formed and partially-formed transactions
+		  for {Unix}},
+  booktitle	= PROC # { the 8th conference on \acs{usenix} Security
+		  Symposium},
+  volume	= 8,
+  year		= 1999,
+  publisher	= {\acs{usenix} Association},
+  location	= {Berkeley, \acs{ca}},
+  pages		= {5--5}
+}
+
+@InProceedings{	  longstaff.ea:model:2000,
+  author	= {J.J. Longstaff and M.A. Lockyer and M.G. Thick},
+  title		= {A Model of Accountability, Confidentiality and Override
+		  for Healthcare and other Applications},
+  booktitle	= PROC # { the fifth \acs{acm} workshop on Role-based
+		  access control},
+  year		= 2000,
+  isbn		= {1-58113-259-X},
+  pages		= {71--76},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  doi		= {10.1145/344287.344304}
+}
+
+@InProceedings{	  rissanen.ea:towards:2004,
+  author	= {Erik Rissanen},
+  title		= {Towards a Mechanism for Discretionary Overriding of Access
+		  Control (Transcript of Discussion)},
+  booktitle	= PROC # { the 12th International Workshop on Security
+		  Protocols},
+  year		= 2004,
+  pages		= {320--323},
+  month		= mar,
+  doi		= {10.1007/11861386_39},
+  abstract	= {Last year, the Swedish Prime Minister was stabbed to death
+		  in a shopping mall in Stockholm, and of course the police
+		  thoroughly investigated it. They had some privacy problems
+		  during the investigation: many policemen just looked at the
+		  case, because there was no access control on the police
+		  system. They didn{\^a}t have a whole system on-line,
+		  because they cannot really predict the needs of individual
+		  policemen, and they cannot really audit the whole thing
+		  either because there were so many accesses. In the case of
+		  the prime minister we suspect that something was going on
+		  because he was a famous person, and they know from
+		  experience that this tends to happen with famous people,
+		  but in the case of a policemen accessing his
+		  neighbour{\^a}s data, or something like that, then there
+		  is little reason to notice that something is going on.},
+  crossref	= {bruce.ea:security:2006}
+}
+
+@Proceedings{	  bruce.ea:security:2006,
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  editor	= {Bruce Christianson and Bruno Crispo and James A. Malcolm
+		  and Michael Roe},
+  title		= {Security Protocols, 12th International Workshop,
+		  Cambridge, UK, April 26-28, 2004. Revised Selected Papers},
+  booktitle	= {Security Protocols Workshop},
+  volume	= 3957,
+  year		= 2006,
+  isbn		= {3-540-40925-4}
+}
+
+@InProceedings{	  rissanen.ea:discretionary:2004,
+  author	= {Erik Rissanen and Babak Sadighi Firozabadi and Marek J.
+		  Sergot},
+  title		= {Discretionary Overriding of Access Control in the
+		  Privilege Calculus},
+  booktitle	= PROC # { the Workshop on Formal Aspects Security and
+		  Trust (\acs{fast})},
+  year		= 2004,
+  pages		= {219--232},
+  doi		= {10.1007/0-387-24098-5_16},
+  crossref	= {dimitrakos.ea:formal:2005},
+  abstract	= {We extend a particular access control framework, the
+		  Privilege Calculus, with a possibility to override denied
+		  access for increased flexibility in hard to define or
+		  unanticipated situations. We require the overrides to be
+		  audited and approved by appropriate managers. In order to
+		  automatically find the authorities who are able to approve
+		  an override, we present an algorithm for authority
+		  resolution. We are able to calculate from the access
+		  control policy who can approve an override without the need
+		  for any additional information.}
+}
+
+@Proceedings{	  dimitrakos.ea:formal:2005,
+  editor	= {Theodosis Dimitrakos and Fabio Martinelli},
+  title		= {Formal Aspects in Security and Trust: Second IFIP TC1
+		  WG1.7 Workshop on Formal Aspects in Security and Trust
+		  (FAST), an event of the 18th IFIP World Computer Congress,
+		  August 22-27, 2004, Toulouse, France},
+  booktitle	= {Formal Aspects in Security and Trust},
+  publisher	= pub-springer,
+  volume	= 173,
+  address	= pub-springer:adr,
+  year		= 2005,
+  isbn		= {0-387-24050-0}
+}
+
+@InProceedings{	  alqatawna.ea:overriding:2007,
+  author	= {Ja'far Alqatawna and Erik Rissanen and Babak Sadighi},
+  title		= {Overriding of Access Control in \textsc{XACML}},
+  booktitle	= PROC # { the Eighth \acs{ieee} International
+		  Workshop on Policies for Distributed Systems and Networks
+		  (\acs{policy})},
+  year		= 2007,
+  isbn		= {0-7695-2767-1},
+  pages		= {87--95},
+  doi		= {10.1109/POLICY.2007.31},
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee
+}
+
+@InProceedings{	  stevens.ea:new:2002,
+  author	= {Gunnar Stevens and Volker Wulf},
+  title		= {A new dimension in access control: studying maintenance
+		  engineering across organizational boundaries},
+  booktitle	= PROC # { the \acs{acm} conference on Computer
+		  supported cooperative work (\acs{cscw})},
+  year		= 2002,
+  isbn		= {1-58113-560-2},
+  pages		= {196--205},
+  location	= {New Orleans, Louisiana, USA},
+  doi		= {10.1145/587078.587106},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@InProceedings{	  jaeger.ea:managing:2002,
+  author	= {Trent Jaeger and Antony Edwards and Xiaolan Zhang},
+  title		= {Managing access control policies using access control
+		  spaces},
+  booktitle	= PROC # { the seventh \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2002,
+  isbn		= {1-58113-496-7},
+  pages		= {3--12},
+  location	= {Monterey, California, USA},
+  doi		= {10.1145/507711.507713},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@Article{	  joshi.ea:generalized:2005,
+  author	= {James B.D. Joshi and Elisa Bertino and Usman Latif and
+		  Arif Ghafoor},
+  title		= {A Generalized Temporal Role-Based Access Control Model},
+  journal	= j-tkde,
+  volume	= 17,
+  number	= 1,
+  issn		= {1041-4347},
+  year		= 2005,
+  pages		= {4--23},
+  doi		= {10.1109/TKDE.2005.1},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr
+}
+
+@InProceedings{	  bell.ea:secure:1996,
+  author	= {D. Elliott Bell and Leonard J. LaPadula},
+  title		= {Secure Computer Systems: A Mathematical Model, Volume
+		  {II}},
+  booktitle	= {Journal of Computer Security 4},
+  year		= 1996,
+  pages		= {229--263},
+  note		= {An electronic reconstruction of \emph{Secure Computer
+		  Systems: Mathematical Foundations}, 1973}
+}
+
+@InProceedings{	  bell:looking:2005,
+  title		= {Looking Back at the Bell-La Padula Model},
+  author	= {D. Elliott Bell},
+  journal	= PROC # { the 21st Annual Computer Security
+		  Applications Conference},
+  year		= 2005,
+  isbn		= {1063-9527},
+  doi		= {10.1109/CSAC.2005.37},
+  publisher	= {pub-ieee},
+  address	= pub-ieee:adr,
+  pages		= {337--351}
+}
+
+@Booklet{	  oasis:xacml:2005,
+  title		= {{eXtensible Access Control Markup Language (XACML)},
+		  Version 2.0},
+  year		= 2005,
+  url		= {http://docs.oasis-open.org/xacml/2.0/XACML-2.0-OS-NORMATIVE.zip}
+		  ,
+  bibkey	= {oasis:xacml:2005},
+  publisher	= {\acs{oases}},
+  key		= {OASIS},
+  language	= {USenglish},
+  public	= {yes}
+}
+
+@InProceedings{	  barka.ea:framework:2000,
+  author	= {Ezedin Barka and Ravi Sandhu},
+  title		= {Framework for Role-based Delegation Models},
+  year		= 2000,
+  booktitle	= PROC # { the 16th Annual Computer Security
+		  Applications Conference},
+  doi		= {10.1109/ACSAC.2000.898870},
+  isbn		= {0-7695-0859-6},
+  pages		= {168--176},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr
+}
+
+@InProceedings{	  cheng.ea:fuzzy:2007,
+  author	= {Pau-Chen Cheng and Pankaj Rohatgi and Claudia Keser and
+		  Paul A. Karger and Grant M. Wagner and Angela Schuett
+		  Reninger},
+  title		= {Fuzzy Multi-Level Security: An Experiment on Quantified
+		  Risk-Adaptive Access Control},
+  booktitle	= {IEEE Symposium on Security and Privacy},
+  year		= 2007,
+  pages		= {222--230},
+  ee		= {http://dx.doi.org/10.1109/SP.2007.21},
+  crossref	= {ieee:security-privacy:2007}
+}
+
+@Proceedings{	  ieee:security-privacy:2007,
+  title		= {2007 IEEE Symposium on Security and Privacy (S{\&}P 2007),
+		  20-23 May 2007, Oakland, California, USA},
+  booktitle	= {IEEE Symposium on Security and Privacy},
+  publisher	= {IEEE Computer Society},
+  year		= 2007
+}
+
+@InProceedings{	  zhang.ea:toward:2006,
+  author	= {Lei Zhang and Alexander Brodsky and Sushil Jajodia},
+  title		= {Toward Information Sharing: Benefit And Risk Access
+		  Control (BARAC)},
+  booktitle	= {POLICY},
+  year		= 2006,
+  pages		= {45--53},
+  doi		= {10.1109/POLICY.2006.36},
+  crossref	= {ieee:policy:2006}
+}
+
+@Proceedings{	  ieee:policy:2006,
+  title		= {7th IEEE International Workshop on Policies for
+		  Distributed Systems and Networks (POLICY 2006), 5-7 June
+		  2006, London, Ontario, Canada},
+  booktitle	= {POLICY},
+  publisher	= {IEEE Computer Society},
+  year		= 2006,
+  isbn		= {0-7695-2598-9}
+}
+
+@InProceedings{	  nissanke.ea:risk:2004,
+  author	= {Nimal Nissanke and Etienne J. Khayat},
+  title		= {Risk Based Security Analysis of Permissions in RBAC},
+  booktitle	= {WOSIS},
+  year		= 2004,
+  pages		= {332--341},
+  crossref	= {fernandez-medina.ea:security:2004}
+}
+
+@Proceedings{	  fernandez-medina.ea:security:2004,
+  editor	= {Eduardo Fern{\'a}ndez-Medina and Julio C{\'e}sar
+		  Hern{\'a}ndez Castro and L. Javier Garc\'{\i}a-Villalba},
+  title		= {Security In Information Systems, Proceedings of the 2nd
+		  International Workshop on Security In Information Systems,
+		  WOSIS 2004, In conjunction with ICEIS 2004, Porto,
+		  Portugal, April 2004},
+  booktitle	= {WOSIS},
+  publisher	= {INSTICC Press},
+  year		= 2004,
+  isbn		= {972-8865-07-4}
+}
+
+@InProceedings{	  fisler.ea:verification:2005,
+  author	= {Kathi Fisler and Shriram Krishnamurthi and Leo A.
+		  Meyerovich and Michael Carl Tschantz},
+  title		= {Verification and change-impact analysis of access-control
+		  policies},
+  booktitle	= {ICSE},
+  year		= 2005,
+  pages		= {196--205},
+  doi		= {10.1145/1062455.1062502},
+  crossref	= {roman.ea:27th:2005}
+}
+
+@Proceedings{	  roman.ea:27th:2005,
+  editor	= {Gruia-Catalin Roman and William G. Griswold and Bashar
+		  Nuseibeh},
+  title		= {27th International Conference on Software Engineering
+		  (ICSE 2005), 15-21 May 2005, St. Louis, Missouri, USA},
+  booktitle	= {ICSE},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  year		= 2005
+}
+
+@InProceedings{	  lin.ea:approach:2007,
+  author	= {Dan Lin and Prathima Rao and Elisa Bertino and Jorge
+		  Lobo},
+  title		= {An approach to evaluate policy similarity},
+  booktitle	= {SACMAT},
+  year		= 2007,
+  pages		= {1--10},
+  doi		= {10.1145/1266840.1266842},
+  crossref	= {lotz.ea:sacmat:2007}
+}
+
+@InProceedings{	  backes.ea:efficient:2004,
+  author	= {Michael Backes and G{\"u}nter Karjoth and Walid Bagga and
+		  Matthias Schunter},
+  title		= {Efficient comparison of enterprise privacy policies},
+  booktitle	= {SAC},
+  year		= 2004,
+  pages		= {375--382},
+  doi		= {10.1145/967900.967983},
+  crossref	= {haddad.ea:proceedings:2004}
+}
+
+@Proceedings{	  haddad.ea:proceedings:2004,
+  editor	= {Hisham Haddad and Andrea Omicini and Roger L. Wainwright
+		  and Lorie M. Liebrock},
+  title		= PROC # { the 2004 ACM Symposium on Applied Computing
+		  (SAC), Nicosia, Cyprus, March 14-17, 2004},
+  booktitle	= {SAC},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  year		= 2004,
+  isbn		= {1-58113-812-1}
+}
+
+@InProceedings{	  warner.ea:using:2007,
+  author	= {Janice Warner and Vijayalakshmi Atluri and Ravi Mukkamala
+		  and Jaideep Vaidya},
+  title		= {Using semantics for automatic enforcement of access
+		  control policies among dynamic coalitions},
+  booktitle	= {SACMAT},
+  year		= 2007,
+  pages		= {235--244},
+  doi		= {10.1145/1266840.1266877},
+  crossref	= {lotz.ea:sacmat:2007}
+}
+
+@Proceedings{	  lotz.ea:sacmat:2007,
+  editor	= {Volkmar Lotz and Bhavani M. Thuraisingham},
+  title		= {SACMAT 2007, 12th ACM Symposium on Access Control Models
+		  and Technologies, Sophia Antipolis, France, June 20-22,
+		  2007, Proceedings},
+  booktitle	= {SACMAT},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  year		= 2007,
+  isbn		= {978-1-59593-745-2}
+}
+
+@InProceedings{	  povey:optimistic:1999,
+  author	= {Dean Povey},
+  title		= {Optimistic Security: A New Access Control Paradigm},
+  booktitle	= PROC # { the 1999 workshop on New security
+		  paradigms},
+  year		= 1999,
+  isbn		= {1-58113-149-6},
+  pages		= {40--45},
+  doi		= {10.1145/335169.335188},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Despite the best efforts of security researchers,
+		  sometimes the static nature of authorisation can cause
+		  unexpected risks for users work- ing in a dynamically
+		  changing environment. Disasters, medical emergencies or
+		  time-critical events can all lead to situations where the
+		  ability to relax normal access rules can become critically
+		  impor- tant.
+		  
+		  This paper presents an optimistic access control scheme
+		  where en- forcement of rules is retrospective. The system
+		  administrator is re- lied on to ensure that the system is
+		  not misused, and compensating transactions are used to
+		  ensure that the system integrity can be re- covered in the
+		  case of a breach. It is argued that providing an opti-
+		  mistic scheme alongside a traditional access control
+		  mechanism can provide a useful means for users to exceed
+		  their normal privileges on the rare occasion that the
+		  situation warrants it.
+		  
+		  The idea of a partially-formed transaction is introduced to
+		  show how accesses in an optimistic system might be
+		  constrained. This model is formally described and related
+		  to the Clark-Wilson in- tegrity model.}
+}
+
+@Article{	  sandhu.ea:role-based:1996,
+  author	= {Ravi S. Sandhu and Edward J. Coyne and Hal L. Feinstein
+		  and Charles E. Youman},
+  title		= {Role-Based Access Control Models},
+  journal	= j-computer,
+  year		= 1996,
+  volume	= 29,
+  number	= 2,
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  pages		= {38--47},
+  url		= {http://ite.gmu.edu/list/journals/computer/pdf_ver/i94rbac(org).pdf}
+		  ,
+  abstract	= {Abstract This article introduces a family of reference
+		  models for rolebased acce ss control (RBAC) in which
+		  permissions are associated with roles, and users are made
+		  members of appropriate roles. This greatly simplifies
+		  management of permiss ions. Roles are closely related to
+		  the concept of user groups in access control. However, a
+		  role brings together a set of users on one side and a set
+		  of permiss ions on the other, whereas user groups are
+		  typically defined as a set of users o nly.
+		  
+		  The basic concepts of RBAC originated with early multi-user
+		  computer systems. Th e resurgence of interest in RBAC has
+		  been driven by the need for general-purpose customizable
+		  facilities for RBAC and the need to manage the
+		  administration of R BAC itself. As a consequence RBAC
+		  facilities range from simple to complex. This article
+		  describes a novel framework of reference models to
+		  systematically addres s the diverse components of RBAC, and
+		  their interactions.},
+  issn		= {0018-9162},
+  keywords	= {Computational linguistics; Computer control systems;
+		  Computer simulation; Computer software; Data abstraction;
+		  Database systems; Discretionary access control; Encoding
+		  (symbols); Integration; Mandator access control; Role based
+		  access control; Semantics; Software encoding; User
+		  interfaces},
+  acknowledgement={none},
+  bibkey	= {sandhu.ea:role-based:1996}
+}
+
+@Booklet{	  sarbanes.ea:sox:2002,
+  title		= {{Sarbanes-Oxley} {Act} of 2002},
+  author	= {P. Sarbanes and G. Oxley and others},
+  howpublished	= {107th Congress Report, House of Representatives, 2nd
+		  Session, 107--610},
+  year		= 2002
+}
+
+@TechReport{	  bcbs:baselii:2004,
+  author	= {{Basel Committee on Banking Supervision}},
+  title		= {{Basel II}: International Convergence of Capital
+		  Measurement and Capital Standards},
+  year		= 2004,
+  url		= {http://www.bis.org/publ/bcbsca.htm},
+  address	= {Basel, Switzerland},
+  institution	= {Bank for International Settlements}
+}
+
+@Book{		  dahl.ea:structured:1972,
+  author	= {O.-J. Dahl and E. W. Dijkstra and C. A. R. Hoare},
+  title		= {Structured Programming},
+  publisher	= {Academic Press},
+  year		= 1972,
+  edition	= {3rd},
+  volume	= 8,
+  series	= {A.P.I.C. Studies in Data Processing},
+  address	= {London},
+  isbn		= {0-12-200550-3}
+}
+
+@InProceedings{	  bryans:reasoning:2005,
+  author	= {Jery Bryans},
+  title		= {Reasoning about {XACML} policies using {CSP}},
+  booktitle	= {SWS '05: Proceedings of the 2005 workshop on Secure web
+		  services},
+  year		= 2005,
+  isbn		= {1-59593-234-8},
+  pages		= {28--35},
+  location	= {Fairfax, VA, USA},
+  doi		= {10.1145/1103022.1103028},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@InProceedings{	  chadwick.ea:permis:2002,
+  author	= {David W. Chadwick and Alexander Otenko},
+  title		= {The \acs{permis} {X.509} role based privilege management
+		  infrastructure},
+  booktitle	= PROC # { the seventh \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2002,
+  isbn		= {1-58113-496-7},
+  pages		= {135--140},
+  location	= {Monterey, California, USA},
+  doi		= {10.1145/507711.507732},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@InProceedings{	  ye.ea:using:2005,
+  author	= {Chunxiao Ye and Zhongfu Wu},
+  title		= {Using \acs{xml} and \acs{xacml} to Support Attribute Based
+		  Delegation},
+  booktitle	= {CIT '05: Proceedings of the The Fifth International
+		  Conference on Computer and Information Technology},
+  year		= 2005,
+  isbn		= {0-7695-2432-X},
+  pages		= {751--756},
+  doi		= {10.1109/CIT.2005.196},
+  publisher	= {IEEE Computer Society},
+  address	= {Washington, DC, USA}
+}
+
+@Book{		  fox.ea:it-sox:2006,
+  author	= {Christopher Fox and Paul Zonneveld},
+  abstract	= {This publication provides CIOs, IT managers, and control
+		  and assurance professionals with scoping and assessment
+		  ideas, approaches and guidance in support of the IT-related
+		  Committee of Sponsoring Organizations of the Treadway
+		  Commission (COSO) internal control objectives for financial
+		  reporting.
+		  
+		  A streamlined road map is provided to help turn compliance
+		  into a competitive challenge. Lessons learned and
+		  sustaining ideas are also included.
+		  
+		  The second edition is updated for recent US Securities and
+		  Exchange Commission (SEC) and Public Company Accounting and
+		  Oversight Board (PCAOB) guidance related to entity-level
+		  controls, a risk-based/top-down approach, application
+		  controls and the evaluation of deficiencies.},
+  title		= {\acs{it} Control Objectives for Sarbanes-Oxley: The Role
+		  of \acs{it} in the Design and Implementation of Internal
+		  Control Over Financial Reporting},
+  year		= 2006,
+  month		= sep,
+  bibkey	= {fox.ea:it-sox:2006},
+  num_pages	= 128,
+  edition	= {2nd},
+  publisher	= {IT Governance Institute},
+  isbn		= {1-933284-76-5},
+  address	= {Rolling Meadows, IL, USA}
+}
+
+@Article{	  basin.ea:automated:2009,
+  title		= {Automated analysis of security-design models},
+  journal	= j-ist,
+  volume	= 51,
+  number	= 5,
+  issn		= {0950-5849},
+  year		= 2009,
+  pages		= {815--831},
+  doi		= {10.1016/j.infsof.2008.05.011},
+  author	= {David Basin and Manuel Clavel and J{\"u}rgen Doser and
+		  Marina Egea},
+  keywords	= {Metamodels},
+  abstract	= {We have previously proposed SecureUML, an expressive
+		  UML-based language for constructing security-design models,
+		  which are models that combine design specifications for
+		  distributed systems with specifications of their security
+		  policies. Here, we show how to automate the analysis of
+		  such models in a semantically precise and meaningful way.
+		  In our approach, models are formalized together with
+		  scenarios that represent possible run-time instances.
+		  Queries about properties of the security policy modeled are
+		  expressed as formulas in UML's Object Constraint Language.
+		  The policy may include both declarative aspects, i.e.,
+		  static access-control information such as the assignment of
+		  users and permissions to roles, and programmatic aspects,
+		  which depend on dynamic information, namely the
+		  satisfaction of authorization constraints in a given
+		  scenario. We show how such properties can be evaluated,
+		  completely automatically, in the context of the metamodel
+		  of the security-design language. We demonstrate, through
+		  examples, that this approach can be used to formalize and
+		  check non-trivial security properties. The approach has
+		  been implemented in the SecureMOVA tool and all of the
+		  examples presented have been checked using this tool.},
+  note		= {Special Issue on Model-Driven Development for Secure
+		  Information Systems},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr
+}
+
+@InProceedings{	  dong.ea:flexible:2008,
+  author	= {Changyu Dong and Giovanni Russello and Naranker Dulay},
+  title		= {Flexible Resolution of Authorisation Conflicts in
+		  Distributed Systems},
+  booktitle	= {DSOM},
+  year		= 2008,
+  pages		= {95--108},
+  doi		= {10.1007/978-3-540-87353-2_8},
+  crossref	= {turck.ea:managing:2008},
+  abstract	= {Managing security in distributed systems requires flexible
+		  and expressive authorisation models with support for
+		  conflict resolution. Models need to be hierarchical but
+		  also non-monotonic supporting both positive and negative
+		  authorisations. In this paper, we present an approach to
+		  resolve the authorisation conflicts that inevitably occur
+		  in such models, with administrator specified conflict
+		  resolution strategies (rules). Strategies can be global or
+		  applied to specific parts of a system and dynamically
+		  loaded for different applications. We use Courteous Logic
+		  Programs (CLP) for the specification and enforcement of
+		  strategies. Authorisation policies are translated into
+		  labelled rules in CLP and prioritised. The prioritisation
+		  is regulated by simple override rules specified or selected
+		  by administrators. We demonstrate the capabilities of the
+		  approach by expressing the conflict resolution strategy for
+		  a moderately complex authorisation model that organises
+		  subjects and objects hierarchically.}
+}
+
+@Proceedings{	  turck.ea:managing:2008,
+  editor	= {Filip De Turck and Wolfgang Kellerer and George
+		  Kormentzas},
+  title		= {Managing Large-Scale Service Deployment, 19th IFIP/IEEE
+		  International Workshop on Distributed Systems: Operations
+		  and Management, DSOM 2008, Samos Island, Greece, September
+		  22-26, 2008. Proceedings},
+  booktitle	= {DSOM},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 5273,
+  year		= 2008,
+  isbn		= {978-3-540-85999-4}
+}
+
+@InProceedings{	  russello.ea:consent-based:2008,
+  author	= {Giovanni Russello and Changyu Dong and Naranker Dulay},
+  title		= {Consent-Based Workflows for Healthcare Management},
+  booktitle	= {9th IEEE International Workshop on Policies for
+		  Distributed Systems and Networks (POLICY 2008), 2-4 June
+		  2008, Palisades, New York, USA},
+  year		= 2008,
+  publisher	= {IEEE Computer Society},
+  pages		= {153--161},
+  isbn		= {978-0-7695-3133-5},
+  doi		= {10.1109/POLICY.2008.22},
+  abstract	= {n this paper, we describe a new framework for healthcare
+		  systems where patients are able to control the disclosure
+		  of their medical data. In our framework, the patient's
+		  consent has a pivotal role in granting or removing access
+		  rights to subjects accessing patient's medical data.
+		  Depending on the context in which the access is being
+		  executed, different consent policies can be applied.
+		  Context is expressed in terms of workflows. The execution
+		  of a task in a given workflow carries the necessary
+		  information to infer whether the consent can be implicitly
+		  retrieved or should be explicitly requested from a patient.
+		  However, patients are always able to enforce their own
+		  decisions and withdraw consent if necessary. Additionally,
+		  the use of workflows enables us to apply the need-to-know
+		  principle. Even when the patient's consent is obtained, a
+		  subject should access medical data only if it is required
+		  by the actual situation. For example, if the subject is
+		  assigned to the execution of a medical diagnosis workflow
+		  requiring access to the patient's medical record. We also
+		  provide a complex medical case study to highlight the
+		  design principles behind our framework. Finally, the
+		  implementation of the framework is outlined.}
+}
+
+@InProceedings{	  mitchell-wong.ea:social:2008,
+  author	= {Juliana Mitchell-Wong and Ryszard Kowalczyk and Bao Quoc
+		  Vo},
+  title		= {Social Network Profile and Policy},
+  booktitle	= {9th IEEE International Workshop on Policies for
+		  Distributed Systems and Networks (POLICY 2008), 2-4 June
+		  2008, Palisades, New York, USA},
+  year		= 2008,
+  publisher	= {IEEE Computer Society},
+  isbn		= {978-0-7695-3133-5},
+  pages		= {207--210},
+  doi		= {10.1109/POLICY.2008.41},
+  abstract	= {n this paper, we describe a new framework for healthcare
+		  systems where patients are able to control the disclosure
+		  of their medical data. In our framework, the patient's
+		  consent has a pivotal role in granting or removing access
+		  rights to subjects accessing patient's medical data.
+		  Depending on the context in which the access is being
+		  executed, different consent policies can be applied.
+		  Context is expressed in terms of workflows. The execution
+		  of a task in a given workflow carries the necessary
+		  information to infer whether the consent can be implicitly
+		  retrieved or should be explicitly requested from a patient.
+		  However, patients are always able to enforce their own
+		  decisions and withdraw consent if necessary. Additionally,
+		  the use of workflows enables us to apply the need-to-know
+		  principle. Even when the patient's consent is obtained, a
+		  subject should access medical data only if it is required
+		  by the actual situation. For example, if the subject is
+		  assigned to the execution of a medical diagnosis workflow
+		  requiring access to the patient's medical record. We also
+		  provide a complex medical case study to highlight the
+		  design principles behind our framework. Finally, the
+		  implementation of the framework is outlined.}
+}
+
+@Book{		  paulson:ml:1996,
+  author	= {Lawrence C. Paulson},
+  title		= {\acs{ml} for the Working Programmer},
+  publisher	= {Cambridge Press},
+  year		= 1996,
+  acknowledgement={none}
+}
+
+@InProceedings{	  kohler.ea:proactive:2008,
+  title		= {Pro Active Access Control for Business Process-driven
+		  Environments},
+  author	= {Mathias Kohler and Andreas Schaad},
+  booktitle	= {Annual Computer Security Applications Conference},
+  year		= 2008
+}
+
+@InProceedings{	  dewin:importance:2002,
+  author	= {Bart De Win and Frank Piessens and Wouter Joosen and Tine
+		  Verhanneman},
+  title		= {On the importance of the separation-of-concerns principle
+		  in secure software engineering},
+  booktitle	= {ACSA Workshop on the Application of Engineering Principles
+		  to System Security Design - Final Report (Serban, C.,
+		  ed.)},
+  year		= 2003,
+  pages		= {1--10}
+}
+
+@InProceedings{	  priebe:towards:2000,
+  author	= {Torsten Priebe and G\"{u}nther Pernul},
+  title		= {Towards \textsc{olap} security design --- survey and
+		  research issues},
+  booktitle	= {DOLAP '00: Proceedings of the 3rd ACM international
+		  workshop on Data warehousing and OLAP},
+  year		= 2000,
+  isbn		= {1-58113-323-5},
+  pages		= {33--40},
+  location	= {McLean, Virginia, United States},
+  doi		= {10.1145/355068.355313},
+  publisher	= {ACM},
+  address	= {New York, NY, USA}
+}
+
+@InProceedings{	  atluri:supporting:2005,
+  author	= {Vijayalakshmi Atluri and Janice Warner},
+  title		= {Supporting conditional delegation in secure workflow
+		  management systems},
+  booktitle	= PROC # { the tenth \acs{acm} symposium on Access
+		  control models and technologies (\acs{sacmat})},
+  year		= 2005,
+  isbn		= {1-59593-045-0},
+  pages		= {49--58},
+  location	= {Stockholm, Sweden},
+  doi		= {10.1145/1063979.1063990},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@InProceedings{	  dimmock:using:2004,
+  author	= {Nathan Dimmock and Andr{\'a} Belokosztolszki and David
+		  Eyers and Jean Bacon and Ken Moody},
+  title		= {Using trust and risk in role-based access control
+		  policies},
+  booktitle	= PROC # { the ninth ACM symposium on Access control
+		  models and technologies (\acs{sacmat})},
+  year		= 2004,
+  isbn		= {1-58113-872-5},
+  pages		= {156--162},
+  location	= {Yorktown Heights, New York, USA},
+  doi		= {10.1145/990036.990062},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Emerging trust and risk management systems provide a
+		  framework for principals to determine whether they will
+		  exchange resources, without requiring a complete definition
+		  of their credentials and intentions. Most distributed
+		  access control architectures have far more rigid policy
+		  rules, yet in many respects aim to solve a similar problem.
+		  This paper elucidates the similarities between trust
+		  management and distributed access control systems by
+		  demonstrating how the OASIS access control system and its
+		  role-based policy language can be extended to make
+		  decisions on the basis of trust and risk analyses rather
+		  than on the basis of credentials alone. We apply our new
+		  model to the prototypical example of a file storage and
+		  publication service for the Grid, and test it using our
+		  Prolog-based OASIS implementation.}
+}
+
+@Article{	  barnett.ea:verification:2004,
+  author	= {Michael Barnett and Robert DeLine and Manuel F{\"a}hndrich
+		  and K. Rustan M. Leino and Wolfram Schulte},
+  title		= {Verification of Object-Oriented Programs with Invariants},
+  journal	= {Journal of Object Technology},
+  volume	= 3,
+  number	= 6,
+  year		= 2004,
+  pages		= {27--56},
+  abstract	= {An object invariant defines what it means for an object's
+		  data to be in a consistent state. Object invariants are
+		  central to the design and correctness of object-oriented
+		  programs. This paper defines a programming methodology for
+		  using object invariants. The methodology, which enriches a
+		  program's state space to express when each object invariant
+		  holds, deals with owned object components, ownership
+		  transfer, and subclassing, and is expressive enough to
+		  allow many interesting object-oriented programs to be
+		  specified and verified. Lending itself to sound modular
+		  verification, the methodology also provides a solution to
+		  the problem of determining what state a method is allowed
+		  to modify. },
+  url		= {http://www.jot.fm/issues/issue_2004_06/article2/article2.pdf}
+		  
+}
+
+@Article{	  harms.ea:copying:1991,
+  author	= {Douglas E. Harms and Bruce W. Weide},
+  title		= {Copying and Swapping: Influences on the Design of Reusable
+		  Software Components},
+  journal	= j-tse,
+  volume	= 17,
+  number	= 5,
+  year		= 1991,
+  pages		= {424--435},
+  doi		= {10.1109/32.90445 },
+  abstract	= {The authors argue that a simple alternative to copying as
+		  a data movement primitive-swapping (exchanging) the values
+		  of two variables-has potentially significant advantages in
+		  the context of the design of generic reusable software
+		  components. Specifically, the authors claim that generic
+		  module designs based on a swapping style are superior to
+		  designs based on copying, both in terms of execution-time
+		  efficiency and with respect to the likelihood of
+		  correctness of client programs and module implementations.
+		  Furthermore, designs based on swapping are more reusable
+		  than traditional designs. Specific arguments and examples
+		  to support these positions are presented},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr
+}
+
+@InProceedings{	  albano.ea:relationship:1991,
+  author	= {Antonio Albano and Giorgio Ghelli and Renzo Orsini},
+  title		= {A Relationship Mechanism for a Strongly Typed
+		  Object-Oriented Database Programming Language},
+  booktitle	= {VLDB},
+  year		= 1991,
+  pages		= {565--575},
+  crossref	= {lohman.ea:17th:1991}
+}
+
+@Proceedings{	  lohman.ea:17th:1991,
+  editor	= {Guy M. Lohman and Am\'{\i}lcar Sernadas and Rafael Camps},
+  title		= {17th International Conference on Very Large Data Bases,
+		  September 3-6, 1991, Barcelona, Catalonia, Spain,
+		  Proceedings},
+  publisher	= {Morgan Kaufmann},
+  year		= 1991,
+  isbn		= {1-55860-150-3}
+}
+
+@InProceedings{	  ernst.ea:predicate:1998,
+  author	= {Michael D. Ernst and Craig S. Kaplan and Craig Chambers},
+  title		= {Predicate Dispatching: A Unified Theory of Dispatch},
+  booktitle	= {ECOOP},
+  year		= 1998,
+  pages		= {186--211},
+  doi		= {10.1007/BFb0054092},
+  abstract	= {Predicate dispatching generalizes previous method dispatch
+		  mechanisms by permitting arbitrary predicates to control
+		  method applicability and by using logical implication
+		  between predicates as the overriding relationship. The
+		  method selected to handle a message send can depend not
+		  just on the classes of the arguments, as in ordinary
+		  object-oriented dispatch, but also on the classes of
+		  subcomponents, on an argument's state, and on relationships
+		  between objects. This simple mechanism subsumes and extends
+		  object-oriented single and multiple dispatch, ML-style
+		  pattern matching, predicate classes, and classifiers, which
+		  can all be regarded as syntactic sugar for predicate
+		  dispatching. This paper introduces predicate dispatching,
+		  gives motivating examples, and presents its static and
+		  dynamic semantics. An implementation of predicate
+		  dispatching is available.},
+  crossref	= {jul:eccop98:1998}
+}
+
+@Proceedings{	  jul:eccop98:1998,
+  editor	= {Eric Jul},
+  title		= {ECCOP'98 - Object-Oriented Programming, 12th European
+		  Conference, Brussels, Belgium, July 20-24, 1998,
+		  Proceedings},
+  booktitle	= {ECOOP},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1445,
+  year		= 1998,
+  isbn		= {3-540-64737-6}
+}
+
+@Misc{		  garbani:future:2009,
+  author	= {Jean-Pierre Garbani},
+  title		= {Future Trends In The Enterprise Software Market},
+  howpublished	= {http://www.forrester.com/Research/Document/Excerpt/0,7211,53493,00.html}
+		  ,
+  month		= mar # {~9},
+  year		= 2009,
+  publisher	= {Forrester Research, Inc.},
+  address	= {Cambridge, USA},
+  abstract	= {Hardware, software, and people are the three basic
+		  ingredients of enterprise business technology. They provide
+		  the enterprise with an economic advantage through automated
+		  and improved business processes, increased employee
+		  productivity, and more accurate and precise information.
+		  The relationship between these three components has evolved
+		  over time: Initially, hardware reigned supreme; software
+		  was a mere adjunct and free to the mainframe buyer.
+		  Decreasing hardware costs then led to software
+		  "unbundling." In the present era of information technology,
+		  hardware's ever-decreasing costs make it an enabler of
+		  software functions. In the business technology (BT) era, we
+		  predict that managing the third part of the equation --
+		  people -- will emerge as the dominant focus. As software
+		  applications become business services, the cost of human
+		  resources producing, operating, and managing software will
+		  soon be prohibitive and the new focal point. In this
+		  regard, the current economic downturn, if it persists, may
+		  prove to be a driver that accelerates the shift toward the
+		  BT era.}
+}
+
+@Article{	  klein:operating:2009,
+  author	= {Gerwin Klein},
+  title		= {Operating System Verification --- An Overview},
+  journal	= {S\={a}dhan\={a}},
+  publisher	= pub-springer,
+  year		= 2009,
+  volume	= 34,
+  number	= 1,
+  month		= feb,
+  pages		= {27--69},
+  abstract	= {This paper gives a high-level introduction to the topic of
+		  formal, interactive, machine-checked software verification
+		  in general, and the verification of operating systems code
+		  in particular. We survey the state of the art, the
+		  advantages and limitations of machine-checked code proofs,
+		  and describe two specific ongoing larger-scale verification
+		  projects in more detail.}
+}
+
+@Article{	  edwards.ea:resolve:1994,
+  bibkey	= {edwards.ea:resolve:1994},
+  author	= {Stephen H. Edwards and Wayne D. Heym and Timothy J. Long
+		  and Murali Sitaramanand Bruce W. Weide},
+  title		= {Part II: specifying components in {RESOLVE}},
+  journal	= {SIGSOFT Softw. Eng. Notes},
+  volume	= 19,
+  number	= 4,
+  year		= 1994,
+  issn		= {0163-5948},
+  pages		= {29--39},
+  doi		= {10.1145/190679.190682},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@PhDThesis{	  kassios:theory:2006,
+  author	= {Ioannis T. Kassios},
+  title		= {A Theory of Object Oriented Refinement},
+  school	= {University of Toronto},
+  abstract	= {This thesis introduces a formal theory of object oriented
+		  refinement. The formal design of the theory is based on the
+		  design principles of unification and decoupling, which we
+		  believe have not been adequately used in other object
+		  oriented refinement theories.
+		  
+		  Thanks to the use of these principles, the semantics of the
+		  theory is mathematically simpler than other approaches: the
+		  formalization of most features uses very primitive
+		  mathematical entities. Furthermore, the constructs of the
+		  theory are more general than other approaches. There are
+		  specification constructs more general than classes.
+		  Features that are typically coupled with classes, like
+		  reuse and polymorphism, now apply to these more general
+		  specifications. Finally, our solution to the frame problem
+		  is the only modular approach that we know of that does not
+		  impose any aliasing control policy.
+		  
+		  To demonstrate that the extra generality offers real
+		  advantages to the specifier, we use the theory in some
+		  specification examples that would be impossible with other
+		  approaches. These examples, mainly inspired by Design
+		  Patterns, represent realistic and common software design
+		  situations.},
+  year		= 2006
+}
+
+@TechReport{	  dewar:setl:1979,
+  author	= {Robert B. K. Dewar},
+  title		= {The {SETL} Programming Language},
+  year		= 1979
+}
+
+@InBook{	  chun.ea:risk-based:2008,
+  author	= {Soon Ae Chun and Vijay Atluri},
+  editor	= {Bhargab B. Bhattacharya and Susmita Sur-Kolay and Subhas
+		  C. Nandy and Aditya Bagchi},
+  booktitle	= {Algorithms, Architecture and Information Systems
+		  Security},
+  title		= {Risk-based Access Control for Personal Data Services},
+  publisher	= {World Scientific Press},
+  year		= 2008,
+  volume	= 3,
+  series	= {Statistical Science and Interdisciplinary Research},
+  isbn		= 9789812836236
+}
+
+@Unpublished{	  clark.ea:survey:1997,
+  author	= {John Clark and Jeremy Jacob},
+  title		= {A Survey of Authentication Protocol: Literature: Version
+		  1.0},
+  year		= 1997
+}
+
+@Unpublished{	  dierks.ea:tls:1999,
+  author	= {T. Dierks and C. Allen},
+  title		= {The TLS Protocol Version 1.0},
+  year		= 1999,
+  publisher	= {RFC Editor},
+  address	= {United States},
+  note		= {RFC 2246}
+}
+
+@InProceedings{	  fontaine.ea:expressiveness:2006,
+  author	= {Pascal Fontaine and Jean-Yves Marion and Stephan Merz and
+		  Leonor Prensa Nieto and Alwen Fernanto Tiu},
+  title		= {Expressiveness + Automation + Soundness: Towards Combining
+		  SMT Solvers and Interactive Proof Assistants},
+  booktitle	= {TACAS},
+  year		= 2006,
+  pages		= {167--181},
+  doi		= {10.1007/11691372_11},
+  crossref	= {hermanns.ea:tools:2006}
+}
+
+@Proceedings{	  hermanns.ea:tools:2006,
+  editor	= {Holger Hermanns and Jens Palsberg},
+  title		= {Tools and Algorithms for the Construction and Analysis of
+		  Systems, 12th International Conference, TACAS 2006 Held as
+		  Part of the Joint European Conferences on Theory and
+		  Practice of Software, ETAPS 2006, Vienna, Austria, March 25
+		  - April 2, 2006, Proceedings},
+  booktitle	= {TACAS},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3920,
+  year		= 2006,
+  isbn		= {3-540-33056-9}
+}
+
+@InProceedings{	  amjad:lcf-style:2008,
+  author	= {Hasan Amjad},
+  title		= {LCF-Style Propositional Simplification with BDDs and SAT
+		  Solvers},
+  booktitle	= {TPHOLs},
+  year		= 2008,
+  pages		= {55--70},
+  doi		= {10.1007/978-3-540-71067-7_9},
+  crossref	= {mohamed.ea:theorem:2008}
+}
+
+@Proceedings{	  mohamed.ea:theorem:2008,
+  editor	= {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and
+		  Sofi{\`e}ne Tahar},
+  title		= {Theorem Proving in Higher Order Logics, 21st International
+		  Conference, TPHOLs 2008, Montreal, Canada, August 18-21,
+		  2008. Proceedings},
+  booktitle	= {TPHOLs},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 5170,
+  series	= s-lncs,
+  year		= 2008,
+  isbn		= {978-3-540-71065-3}
+}
+
+@Article{	  weber:integrating:2006,
+  author	= {Tjark Weber},
+  title		= {Integrating a {SAT} Solver with an {LCF}-style Theorem
+		  Prover},
+  editor	= {Alessandro Armando and Alessandro Cimatti},
+  journal	= j-entcs,
+  month		= jan,
+  year		= 2006,
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr,
+  pages		= {67--78},
+  doi		= {10.1016/j.entcs.2005.12.007},
+  issn		= {1571-0661},
+  volume	= 144,
+  number	= 2,
+  note		= PROC # { the Third Workshop on Pragmatics of
+		  Decision Procedures in Automated Reasoning (PDPAR 2005)},
+  clearance	= {unclassified},
+  abstract	= {This paper describes the integration of a leading SAT
+		  solver with Isabelle/HOL, a popular interactive theorem
+		  prover. The SAT solver generates resolution-style proofs
+		  for (instances of) propositional tautologies. These proofs
+		  are verified by the theorem prover. The presented approach
+		  significantly improves Isabelle's performance on
+		  propositional problems, and furthermore exhibits
+		  counterexamples for unprovable conjectures.}
+}
+
+@Article{	  weber.ea:efficiently:2009,
+  title		= {Efficiently checking propositional refutations in HOL
+		  theorem provers},
+  journal	= {Journal of Applied Logic},
+  volume	= 7,
+  number	= 1,
+  pages		= {26 -- 40},
+  year		= 2009,
+  note		= {Special Issue: Empirically Successful Computerized
+		  Reasoning},
+  issn		= {1570-8683},
+  doi		= {10.1016/j.jal.2007.07.003},
+  author	= {Tjark Weber and Hasan Amjad},
+  abstract	= {This paper describes the integration of zChaff and
+		  MiniSat, currently two leading SAT solvers, with Higher
+		  Order Logic (HOL) theorem provers. Both SAT solvers
+		  generate resolution-style proofs for (instances of)
+		  propositional tautologies. These proofs are verified by the
+		  theorem provers. The presented approach significantly
+		  improves the provers' performance on propositional
+		  problems, and exhibits counterexamples for unprovable
+		  conjectures. It is also shown that LCF-style theorem
+		  provers can serve as viable proof checkers even for large
+		  SAT problems. An efficient representation of the
+		  propositional problem in the theorem prover turns out to be
+		  crucial; several possible solutions are discussed.}
+}
+
+@Article{	  wendling:german:2009,
+  title		= {The German {eHealth} programme},
+  journal	= {Card Technology Today},
+  volume	= 21,
+  number	= 1,
+  pages		= {10--11},
+  year		= 2009,
+  issn		= {0965-2590},
+  doi		= {10.1016/S0965-2590(09)70018-0},
+  author	= {Dietmar Wendling},
+  abstract	= {Germany was one of the first countries in the world to use
+		  smart cards for healthcare. Now it is at the starting gate
+		  to roll out a new generation of cards. Dietmar Wendling,
+		  vice president of the eGovernment market sector at SCM
+		  Microsystems reports.}
+}
+
+@Article{	  meng.ea:translating:2008,
+  author	= {Jia Meng and Lawrence C. Paulson},
+  title		= {Translating Higher-Order Clauses to First-Order Clauses},
+  journal	= j-jar,
+  volume	= 40,
+  number	= 1,
+  year		= 2008,
+  pages		= {35--60},
+  doi		= {10.1007/s10817-007-9085-y}
+}
+
+@InProceedings{	  paulson.ea:source-level:2007,
+  author	= {Lawrence C. Paulson and Kong Woei Susanto},
+  title		= {Source-Level Proof Reconstruction for Interactive Theorem
+		  Proving},
+  booktitle	= {TPHOLs},
+  year		= 2007,
+  pages		= {232--245},
+  doi		= {10.1007/978-3-540-74591-4_18},
+  crossref	= {schneider.ea:theorem:2007}
+}
+
+@Proceedings{	  schneider.ea:theorem:2007,
+  editor	= {Klaus Schneider and Jens Brandt},
+  title		= {Theorem Proving in Higher Order Logics, 20th International
+		  Conference, TPHOLs 2007, Kaiserslautern, Germany, September
+		  10-13, 2007, Proceedings},
+  booktitle	= {TPHOLs},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4732,
+  year		= 2007,
+  isbn		= {978-3-540-74590-7}
+}
+
+@Article{	  meng.ea:automation:2006,
+  author	= {Jia Meng and Claire Quigley and Lawrence C. Paulson},
+  title		= {Automation for interactive proof: First prototype},
+  journal	= {Inf. Comput.},
+  volume	= 204,
+  number	= 10,
+  year		= 2006,
+  pages		= {1575--1596},
+  doi		= {10.1016/j.ic.2005.05.010}
+}
+
+@InProceedings{	  erkok.ea:using:2008,
+  location	= {Princeton, New Jersey, USA},
+  author	= {Levent Erk{\"o}k and John Matthews},
+  booktitle	= {Automated Formal Methods (AFM'08)},
+  title		= {Using Yices as an Automated Solver in Isabelle/{HOL}},
+  year		= 2008
+}
+
+@Article{	  jurjens.ea:model-based:2008,
+  author	= {Jan J{\"u}rjens and Rumm, R.},
+  title		= {Model-based security analysis of the German health card
+		  architecture.},
+  journal	= {Methods Inf Med},
+  year		= 2008,
+  volume	= 47,
+  number	= 5,
+  pages		= {409--416},
+  keywords	= {Patient Identification Systems},
+  abstract	= {OBJECTIVES: Health-care information systems are
+		  particularly security-critical. In order to make these
+		  applications secure, the security analysis has to be an
+		  integral part of the system design and IT management
+		  process for such systems. METHODS: This work presents the
+		  experiences and results from the security analysis of the
+		  system architecture of the German Health Card, by making
+		  use of an approach to model-based security engineering that
+		  is based on the UML extension UMLsec. The focus lies on the
+		  security mechanisms and security policies of the
+		  smart-card-based architecture which were analyzed using the
+		  UMLsec method and tools. RESULTS: Main results of the paper
+		  include a report on the employment of the UMLsec method in
+		  an industrial health information systems context as well as
+		  indications of its benefits and limitations. In particular,
+		  two potential security weaknesses were detected and
+		  countermeasures discussed. CONCLUSIONS: The results
+		  indicate that it can be feasible to apply a model-based
+		  security analysis using UMLsec to an industrial health
+		  information system like the German Health Card
+		  architecture, and that doing so can have concrete benefits
+		  (such as discovering potential weaknesses, and an increased
+		  confidence that no further vulnerabilities of the kind that
+		  were considered are present).},
+  issn		= {0026-1270}
+}
+
+@InProceedings{	  miseldine:automated:2008,
+  author	= {Philip Miseldine},
+  title		= {Automated {XACML} policy reconfiguration for evaluation
+		  optimisation},
+  booktitle	= {SESS},
+  year		= 2008,
+  pages		= {1--8},
+  doi		= {10.1145/1370905.1370906},
+  crossref	= {win.ea:proceedings:2008},
+  abstract	= {We present a programmatic approach to the optimisation of
+		  XACML policies that specifies how a set of access control
+		  rules should be best represented for optimised evaluation.
+		  The work assumes no changes to the current XACML
+		  specification and methods of interpretation shall be made,
+		  so that those who consume XACML are unaffected
+		  structurally, and those that generate XACML can provide
+		  optimised output. Discussion regarding the flexibility of
+		  the XACML specification to describe the same access rules
+		  with different policy configurations is presented, and is
+		  used to formulate a comprehensive analysis of the
+		  evaluation costs the possible policy configurations will
+		  produce. This leads to the specification of methods that
+		  can be employed to produce optimal forms of policy
+		  description. These are implemented and evaluated to show
+		  the benefits of the approach proposed.}
+}
+
+@Proceedings{	  win.ea:proceedings:2008,
+  editor	= {Bart De Win and Seok-Won Lee and Mattia Monga},
+  title		= PROC # { the Fourth International Workshop on
+		  Software Engineering for Secure Systems, SESS 2008,
+		  Leipzig, Germany, May 17-18, 2008},
+  booktitle	= {SESS},
+  publisher	= {ACM},
+  year		= 2008,
+  isbn		= {978-1-60558-042-5}
+}
+
+@InProceedings{	  liu.ea:firewall:2008,
+  author	= {Alex X. Liu and Eric Torng and Chad Meiners},
+  title		= {Firewall Compressor: An Algorithm for Minimizing Firewall
+		  Policies},
+  booktitle	= PROC # { the 27th Annual IEEE Conference on Computer
+		  Communications (Infocom)},
+  year		= 2008,
+  address	= {Phoenix, Arizona},
+  month		= {April}
+}
+
+@InProceedings{	  liu.ea:xengine:2008,
+  author	= {Alex X. Liu and Fei Chen and JeeHyun Hwang and Tao Xie},
+  title		= {{XEngine}: A Fast and Scalable {XACML} Policy Evaluation
+		  Engine},
+  booktitle	= PROC # { the International Conference on Measurement
+		  and Modeling of Computer Systems (Sigmetrics)},
+  year		= 2008,
+  address	= {Annapolis, Maryland},
+  month		= {June}
+}
+
+@InProceedings{	  goubault-larrecq:towards:2008,
+  address	= {Pittsburgh, PA, USA},
+  author	= {Goubault{-}Larrecq, Jean},
+  booktitle	= {{P}roceedings of the 21st {IEEE} {C}omputer {S}ecurity
+		  {F}oundations {S}ymposium ({CSF}'08)},
+  doi		= {10.1109/CSF.2008.21},
+  month		= jun,
+  pages		= {224--238},
+  publisher	= {{IEEE} Computer Society Press},
+  title		= {Towards Producing Formally Checkable Security Proofs,
+		  Automatically},
+  year		= 2008
+}
+
+@InProceedings{	  weidenbach.ea:spass:2007,
+  author	= {Christoph Weidenbach and Renate A. Schmidt and Thomas
+		  Hillenbrand and Rostislav Rusev and Dalibor Topic},
+  title		= {System Description: Spass Version 3.0},
+  booktitle	= {CADE},
+  year		= 2007,
+  pages		= {514--520},
+  doi		= {10.1007/978-3-540-73595-3_38},
+  crossref	= {pfenning:automated:2007}
+}
+
+@Proceedings{	  pfenning:automated:2007,
+  editor	= {Frank Pfenning},
+  title		= {Automated Deduction - CADE-21, 21st International
+		  Conference on Automated Deduction, Bremen, Germany, July
+		  17-20, 2007, Proceedings},
+  booktitle	= {CADE},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 4603,
+  year		= 2007,
+  isbn		= {978-3-540-73594-6}
+}
+
+@Article{	  paulson:tls:1999,
+  author	= {Lawrence C. Paulson},
+  title		= {Inductive Analysis of the Internet Protocol {TLS}},
+  journal	= {ACM Trans. Inf. Syst. Secur.},
+  volume	= 2,
+  number	= 3,
+  year		= 1999,
+  pages		= {332--351},
+  doi		= {10.1145/322510.322530}
+}
+
+@Article{	  harman.ea:testability:2004,
+  author	= {Mark Harman and Lin Hu and Rob Hierons and Joachim Wegener
+		  and Harmen Sthamer and Andr{\'e} Baresel and Marc Roper},
+  title		= {Testability Transformation},
+  journal	= {IEEE Trans. Softw. Eng.},
+  volume	= 30,
+  number	= 1,
+  year		= 2004,
+  issn		= {0098-5589},
+  pages		= {3--16},
+  doi		= {10.1109/TSE.2004.1265732},
+  publisher	= {IEEE Press},
+  address	= {Piscataway, NJ, USA}
+}
+
+@Article{	  dssouli.ea:communications:1999,
+  title		= {Communications software design for testability:
+		  specification transformations and testability measures},
+  journal	= {Information and Software Technology},
+  volume	= 41,
+  number	= {11-12},
+  pages		= {729--743},
+  year		= 1999,
+  issn		= {0950-5849},
+  doi		= {10.1016/S0950-5849(99)00033-6},
+  url		= {http://www.sciencedirect.com/science/article/B6V0B-3X3TD3J-4/2/0efca94003ffe88571f8aa2d346a1289}
+		  ,
+  author	= {R. Dssouli and K. Karoui and K. Saleh and O. Cherkaoui},
+  keywords	= {Testing}
+}
+
+@Article{	  baker:equal:1993,
+  author	= {Henry G. Baker},
+  title		= {Equal rights for functional objects or, the more things
+		  change, the more they are the same},
+  journal	= {OOPS Messenger},
+  volume	= 4,
+  number	= 4,
+  year		= 1993,
+  pages		= {2--27},
+  abstract	= {We argue that intensional object identity in
+		  object-oriented programming languages and databases is best
+		  defined operationally by side-effect semantics. A corollary
+		  is that "functional" objects have extensional semantics.
+		  This model of object identity, which is analogous to the
+		  normal forms of relational algebra, provides cleaner
+		  semantics for the value-transmission operations and
+		  built-in primitive equality predicate of a programming
+		  language, and eliminates the confusion surrounding
+		  "call-by-value" and "call-by-reference" as well as the
+		  confusion of multiple equality predicates.Implementation
+		  issues are discussed, and this model is shown to have
+		  significant performance advantages in persistent, parallel,
+		  distributed and multilingual processing environments. This
+		  model also provides insight into the "type equivalence"
+		  problem of Algol-68, Pascal and Ada.}
+}
+
+@Article{	  hierons.ea:branch-coverage:2005,
+  author	= {Robert M. Hierons and Mark Harman and Chris Fox},
+  title		= {Branch-Coverage Testability Transformation for
+		  Unstructured Programs},
+  journal	= {Comput. J.},
+  volume	= 48,
+  number	= 4,
+  year		= 2005,
+  pages		= {421--436},
+  doi		= {10.1093/comjnl/bxh093},
+  abstract	= {Test data generation by hand is a tedious, expensive and
+		  error-prone activity, yet testing is a vital part of the
+		  development process. Several techniques have been proposed
+		  to automate the generation of test data, but all of these
+		  are hindered by the presence of unstructured control flow.
+		  This paper addresses the problem using testability
+		  transformation. Testability transformation does not
+		  preserve the traditional meaning of the program, rather it
+		  deals with preserving test-adequate sets of input data.
+		  This requires new equivalence relations which, in turn,
+		  entail novel proof obligations. The paper illustrates this
+		  using the branch coverage adequacy criterion and develops a
+		  branch adequacy equivalence relation and a testability
+		  transformation for restructuring. It then presents a proof
+		  that the transformation preserves branch adequacy.}
+}
+
+@InProceedings{	  harman:open:2008,
+  title		= {Open Problems in Testability Transformation},
+  author	= {Harman, M.},
+  booktitle	= {Software Testing Verification and Validation Workshop,
+		  2008. ICSTW '08. IEEE International Conference on},
+  year		= 2008,
+  month		= {April},
+  pages		= {196--209},
+  keywords	= {data analysis, program testingsearch-based test data
+		  generation, test adequacy criterion, testability
+		  transformation},
+  doi		= {10.1109/ICSTW.2008.30},
+  issn		= {978-0-7695-3388-9},
+  abstract	= {Testability transformation (tetra) seeks to transform a
+		  program in order to make it easier to generate test data.
+		  The test data is generated from the transformed version of
+		  the program, but it is applied to the original version for
+		  testing purposes. A transformation is a testability
+		  transformation with respect to a test adequacy criterion if
+		  all test data that is adequate for the transformed program
+		  is also adequate for the untransformed program. Testability
+		  transformation has been shown to be effective at improving
+		  coverage for search based test data generation. However,
+		  there are many interesting open problems. This paper
+		  presents some of these open problems. The aim is to show
+		  how testability transformation can be applied to a wide
+		  range of testing scenarios.}
+}
+
+@InProceedings{	  harman.ea:testability:2008,
+  author	= {Mark Harman and Andr{\'e} Baresel and David Binkley and
+		  Robert M. Hierons and Lin Hu and Bogdan Korel and Phil
+		  McMinn and Marc Roper},
+  title		= {Testability Transformation - Program Transformation to
+		  Improve Testability},
+  booktitle	= {Formal Methods and Testing},
+  year		= 2008,
+  pages		= {320--344},
+  doi		= {10.1007/978-3-540-78917-8_11},
+  crossref	= {hierons.ea:formal:2008}
+}
+
+@InProceedings{	  veanes.ea:model-based:2008,
+  author	= {Margus Veanes and Colin Campbell and Wolfgang Grieskamp
+		  and Wolfram Schulte and Nikolai Tillmann and Lev
+		  Nachmanson},
+  title		= {Model-Based Testing of Object-Oriented Reactive Systems
+		  with Spec Explorer},
+  booktitle	= {Formal Methods and Testing},
+  year		= 2008,
+  pages		= {39--76},
+  doi		= {10.1007/978-3-540-78917-8_2},
+  abstract	= {},
+  crossref	= {hierons.ea:formal:2008}
+}
+
+@Proceedings{	  hierons.ea:formal:2008,
+  editor	= {Robert M. Hierons and Jonathan P. Bowen and Mark Harman},
+  title		= {Formal Methods and Testing, An Outcome of the FORTEST
+		  Network, Revised Selected Papers},
+  booktitle	= {Formal Methods and Testing},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4949,
+  year		= 2008,
+  isbn		= {978-3-540-78916-1}
+}
+
+@Booklet{	  omg:uml-infrastructure:2009,
+  bibkey	= {omg:uml-infrastructure:2009},
+  key		= omg,
+  publisher	= omg,
+  language	= {USenglish},
+  note		= {Available as \acs{omg} document
+		  \href{http://www.omg.org/cgi-bin/doc?formal/2009-02-04}
+		  {formal/2009-02-04}},
+  keywords	= {\acs{uml}},
+  topic		= {formalism},
+  public	= {yes},
+  title		= {\acs{uml} 2.2 Infrastructure Specification},
+  year		= 2009
+}
+
+@InProceedings{	  pirretti.ea:secure:2006,
+  author	= {Matthew Pirretti and Patrick Traynor and Patrick McDaniel
+		  and Brent Waters},
+  title		= {Secure attribute-based systems},
+  booktitle	= PROC # {ACM conference on
+		  Computer and communications security (CCS)},
+  year		= 2006,
+  isbn		= {1-59593-518-5},
+  pages		= {99--112},
+  location	= {Alexandria, Virginia, USA},
+  doi		= {10.1145/1180405.1180419},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {Attributes define, classify, or annotate the datum to
+		  which they are assigned. However, traditional attribute
+		  architectures and cryptosystems are ill-equipped to provide
+		  security in the face of diverse access requirements and
+		  environments. In this paper, we introduce a novel secure
+		  information management architecture based on emerging
+		  attribute-based encryption (ABE) primitives. A policy
+		  system that meets the needs of complex policies is defined
+		  and illustrated. Based on the needs of those policies, we
+		  propose cryptographic optimizations that vastly improve
+		  enforcement efficiency. We further explore the use of such
+		  policies in two example applications: a HIPAA compliant
+		  distributed file system and a social network. A performance
+		  analysis of our ABE system and example applications
+		  demonstrates the ability to reduce cryptographic costs by
+		  as much as 98\% over previously proposed constructions.
+		  Through this, we demonstrate that our attribute system is
+		  an efficient solution for securely managing information in
+		  large, loosely-coupled, distributed systems.}
+}
+
+@Article{	  milicev:semantics:2007,
+  bibkey	= {milicev:semantics:2007},
+  title		= {On the Semantics of Associations and Association Ends in
+		  UML},
+  author	= {Dragan Milicev},
+  journal	= {IEEE Transactions on Software Engineering},
+  year		= 2007,
+  month		= apr,
+  volume	= 33,
+  number	= 4,
+  pages		= {238--251},
+  keywords	= {Unified Modeling Language, entity-relationship modelling,
+		  formal specification, object-oriented programming,
+		  programming language semanticsUML, Unified Modeling
+		  Language, association end, conceptual modeling, formal
+		  semantics, formal specification, intentional
+		  interpretation, object-oriented modeling},
+  doi		= {10.1109/TSE.2007.37},
+  issn		= {0098-5589}
+}
+
+@InProceedings{	  bierman.ea:first-class:2005,
+  author	= {Gavin M. Bierman and Alisdair Wren},
+  title		= {First-Class Relationships in an Object-Oriented Language},
+  booktitle	= {ECOOP},
+  year		= 2005,
+  pages		= {262--286},
+  doi		= {10.1007/11531142_12},
+  crossref	= {black:ecoop:2005}
+}
+
+@Proceedings{	  black:ecoop:2005,
+  editor	= {Andrew P. Black},
+  title		= {ECOOP 2005 - Object-Oriented Programming, 19th European
+		  Conference, Glasgow, UK, July 25-29, 2005, Proceedings},
+  booktitle	= {ECOOP},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3586,
+  year		= 2005,
+  isbn		= {3-540-27992-X}
+}
+
+@Article{	  shafiq.ea:secure:2005,
+  title		= {Secure interoperation in a multidomain environment
+		  employing RBAC policies},
+  author	= {Basit Shafiq and James B.D. Joshi and Elisa Bertino and
+		  Arif Ghafoor},
+  journal	= j-tkde,
+  year		= 2005,
+  month		= nov,
+  volume	= 17,
+  number	= 11,
+  pages		= {1557--1577},
+  keywords	= {Internet, authorisation, integer programming, open systems
+		  Internet-based enterprise, heterogeneous role-based access
+		  control, integer programming, multidomain application
+		  environment, optimality criterion, policy integration
+		  framework, secure interoperation},
+  doi		= {10.1109/TKDE.2005.185},
+  issn		= {1041-4347}
+}
+
+@Article{	  aedo.ea:rbac:2006,
+  volume	= 11,
+  number	= 4,
+  month		= dec,
+  year		= 2006,
+  title		= {An {RBAC} Model-Based Approach to Specify the Access
+		  Policies of Web-Based Emergency Information Systems},
+  author	= {Ignacio Aedo and Paloma D{\'i}az and Daniel Sanz},
+  journal	= {The International Journal of Intelligent Control and
+		  Systems},
+  page		= {272--283},
+  abstract	= {One of the main design challenges of any Web-based
+		  Emergency Management Information System (WEMIS) is the
+		  diversity of users and responsibilities to be considered.
+		  Modelling the access capabilities of different communities
+		  of users is a most relevant concern for which the RBAC
+		  (Role-Based Access Control) paradigm provides flexible and
+		  powerful constructs. In this paper we describe how we used
+		  an RBAC model-based approach to specify at different levels
+		  of abstraction the access policy of a specific WEMIS called
+		  ARCE (Aplicaci{\`o}n en Red para Casos de Emergencia). This
+		  approach made possible to face access modelling at earlier
+		  development stages, so that stakeholders got involved in
+		  analytical and empirical evaluations to test the
+		  correctness and completeness of the access policy.
+		  Moreover, since the RBAC meta-model is embedded into a web
+		  engineering method, we put in practice a holistic process
+		  addressing different design perspectives in an integrated
+		  way. }
+}
+
+@InProceedings{	  phillips.ea:information:2002,
+  author	= {Charles E. Phillips, Jr. and T.C. Ting and Steven A.
+		  Demurjian},
+  title		= {Information sharing and security in dynamic coalitions},
+  booktitle	= {SACMAT '02: Proceedings of the seventh ACM symposium on
+		  Access control models and technologies},
+  year		= 2002,
+  isbn		= {1-58113-496-7},
+  pages		= {87--96},
+  location	= {Monterey, California, USA},
+  doi		= {10.1145/507711.507726},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@InProceedings{	  martino.ea:multi-domain:2008,
+  title		= {Multi-domain and privacy-aware role based access control
+		  in eHealth},
+  author	= {Lorenzo D. Martino and Qun Ni and Dan Lin and Elisa
+		  Bertino},
+  booktitle	= {Second International Conference on Pervasive Computing
+		  Technologies for Healthcare (PervasiveHealth 2008)},
+  year		= 2008,
+  month		= {30 2008-Feb. 1},
+  pages		= {131--134},
+  keywords	= {authorisation, data privacy, health care, medical
+		  information systemseHealth, electronic medical/health
+		  records, healthcare professionals, multidomain
+		  privacy-aware role based access control, patient safety,
+		  privacy preserving,},
+  doi		= {10.1109/PCTHEALTH.2008.4571050}
+}
+
+@InProceedings{	  kamath.ea:user-credential:2006,
+  author	= {Ajith Kamath and Ramiro Liscano and Abdulmotaleb El
+		  Saddik},
+  title		= {User-credential based role mapping in multi-domain
+		  environment},
+  booktitle	= {PST '06: Proceedings of the 2006 International Conference
+		  on Privacy, Security and Trust},
+  year		= 2006,
+  isbn		= {1-59593-604-1},
+  pages		= {1--1},
+  location	= {Markham, Ontario, Canada},
+  doi		= {10.1145/1501434.1501507},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@Article{	  geethakumari.ea:cross:2009,
+  journal	= {International Journal of Computer Science \& Applications},
+  title		= {A Cross -- Domain Role Mapping and Authorization Framework
+		  for {RBAC} in Grid Systems.},
+  year		= 2009,
+  volume	= {VI},
+  issue		= {I},
+  author	= {G. Geethakumari and Atul Negi and V. N. Sastry},
+  issn		= {0972-9038}
+}
+
+@InProceedings{	  gogolla.ea:benchmark:2008,
+  author	= {Martin Gogolla and Mirco Kuhlmann and Fabian B{\"u}ttner},
+  title		= {A Benchmark for \acs{ocl} Engine Accuracy,
+		  Determinateness, and Efficiency},
+  booktitle	= {MoDELS},
+  year		= 2008,
+  pages		= {446--459},
+  doi		= {10.1007/978-3-540-87875-9_32},
+  crossref	= {czarnecki.ea:models:2008},
+  abstract	= {The Object Constraint Language (OCL) is a central element
+		  in modeling and transformation languages like UML, MOF, and
+		  QVT. Consequently approaches for MDE (Model-Driven
+		  Engineering) depend on OCL. However, OCL is present not
+		  only in these areas influenced by the OMG but also in the
+		  Eclipse Modeling Framework (EMF). Thus the quality of OCL
+		  and its realization in tools seems to be crucial for the
+		  success of model-driven development. Surprisingly, up to
+		  now a benchmark for OCL to measure quality properties has
+		  not been proposed. This paper puts forward in the first
+		  part the concepts of a comprehensive OCL benchmark. Our
+		  benchmark covers (A) OCL engine accuracy (e.g., for the
+		  undefined value and the use of variables), (B) OCL engine
+		  determinateness properties (e.g., for the collection
+		  operations any and flatten), and (C) OCL engine efficiency
+		  (for data type and user-defined operations). In the second
+		  part, this paper empirically evaluates the proposed
+		  benchmark concepts by examining a number of OCL tools. The
+		  paper discusses several differences in handling particular
+		  OCL language features and underspecifications in the OCL
+		  standard.}
+}
+
+@InProceedings{	  gessenharter:mapping:2008,
+  author	= {Dominik Gessenharter},
+  title		= {Mapping the {UML2} Semantics of Associations to a {Java}
+		  Code Generation Model},
+  booktitle	= {MoDELS},
+  year		= 2008,
+  pages		= {813--827},
+  doi		= {10.1007/978-3-540-87875-9_56},
+  crossref	= {czarnecki.ea:models:2008}
+}
+
+@Proceedings{	  czarnecki.ea:models:2008,
+  editor	= {Krzysztof Czarnecki and Ileana Ober and Jean-Michel Bruel
+		  and Axel Uhl and Markus V{\"o}lter},
+  title		= {Model Driven Engineering Languages and Systems, 11th
+		  International Conference, MoDELS 2008, Toulouse, France,
+		  September 28 - October 3, 2008. Proceedings},
+  booktitle	= {MoDELS},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5301,
+  year		= 2008,
+  isbn		= {978-3-540-87874-2}
+}
+
+@Article{	  aalst.ea:workflow:2003,
+  author	= {Wil M. P. van der Aalst and Arthur H. M. ter Hofstede and
+		  Bartek Kiepuszewski and Alistair P. Barros},
+  title		= {Workflow Patterns},
+  journal	= {Distributed and Parallel Databases},
+  volume	= 14,
+  number	= 1,
+  year		= 2003,
+  pages		= {5--51},
+  doi		= {10.1023/A:1022883727209},
+  abstract	= {Differences in features supported by the various
+		  contemporary commercial workflow management systems point
+		  to different insights of suitability and different levels
+		  of expressive power. The challenge, which we undertake in
+		  this paper, is to systematically address workflow
+		  requirements, from basic to complex. Many of the more
+		  complex requirements identified, recur quite frequently in
+		  the analysis phases of workflow projects, however their
+		  implementation is uncertain in current products.
+		  Requirements for workflow languages are indicated through
+		  workflow patterns. In this context, patterns address
+		  business requirements in an imperative workflow style
+		  expression, but are removed from specific workflow
+		  languages. The paper describes a number of workflow
+		  patterns addressing what we believe identify comprehensive
+		  workflow functionality. These patterns provide the basis
+		  for an in-depth comparison of a number of commercially
+		  availablework flow management systems. As such, this paper
+		  can be seen as the academic response to evaluations made by
+		  prestigious consulting companies. Typically, these
+		  evaluations hardly consider the workflow modeling language
+		  and routing capabilities, and focus more on the purely
+		  technical and commercial aspects.}
+}
+
+@InProceedings{	  chalin.ea:non-null:2005,
+  author	= {Patrice Chalin and Fr\'{e}d\'{e}ric Rioux},
+  title		= {Non-null references by default in the {Java} modeling
+		  language},
+  booktitle	= {SAVCBS '05: Proceedings of the 2005 conference on
+		  Specification and verification of component-based systems},
+  year		= 2005,
+  isbn		= {1-59593-371-9},
+  pages		= 9,
+  location	= {Lisbon, Portugal},
+  doi		= {10.1145/1123058.1123068},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {Based on our experiences and those of our peers, we
+		  hypothesized that in Java code, the majority of
+		  declarations that are of reference types are meant to be
+		  non-null. Unfortunately, the Java Modeling Language (JML),
+		  like most interface specification and object-oriented
+		  programming languages, assumes that such declarations are
+		  possibly-null by default. As a consequence, developers need
+		  to write specifications that are more verbose than
+		  necessary in order to accurately document their module
+		  interfaces. In practice, this results in module interfaces
+		  being left incompletely and inaccurately specified. In this
+		  paper we present the results of a study that confirms our
+		  hypothesis. Hence, we propose an adaptation to JML that
+		  preserves its language design goals and that allows
+		  developers to specify that declarations of reference types
+		  are to be interpreted as non-null by default. We explain
+		  how this default is safer and results in less writing on
+		  the part of specifiers than null-by-default. The paper also
+		  reports on an implementation of the proposal in some of the
+		  JML tools.}
+}
+
+@Article{	  ekman.ea:pluggable:2007,
+  author	= {Torbj{\"o}rn Ekman and G{\"o}rel Hedin},
+  title		= {Pluggable checking and inferencing of nonnull types for
+		  {Java}},
+  journal	= {Journal of Object Technology},
+  volume	= 6,
+  number	= 9,
+  year		= 2007,
+  pages		= {455--475},
+  ee		= {http://www.jot.fm/issues/issue_2007_10/paper23/index.html}
+		  
+}
+
+@InProceedings{	  fahndrich.ea:declaring:2003,
+  author	= {Manuel F{\"a}hndrich and K. Rustan M. Leino},
+  title		= {Declaring and checking non-null types in an
+		  object-oriented language},
+  booktitle	= {OOPSLA},
+  year		= 2003,
+  pages		= {302--312},
+  doi		= {10.1145/949305.949332},
+  crossref	= {crocker.ea:proceedings:2003}
+}
+
+@Proceedings{	  crocker.ea:proceedings:2003,
+  editor	= {Ron Crocker and Guy L. Steele Jr.},
+  title		= PROC # { the 2003 ACM SIGPLAN Conference on
+		  Object-Oriented Programming Systems, Languages and
+		  Applications, OOPSLA 2003, October 26-30, 2003, Anaheim,
+		  CA, USA},
+  booktitle	= {OOPSLA},
+  year		= 2003,
+  isbn		= {1-58113-712-5},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@InProceedings{	  lee.ea:lightweight:2007,
+  author	= {Hannah K. Lee and Heiko and Luedemann},
+  title		= {lightweight decentralized authorization model for
+		  inter-domain collaborations},
+  booktitle	= {SWS '07: Proceedings of the 2007 ACM workshop on Secure
+		  web services},
+  year		= 2007,
+  isbn		= {978-1-59593-892-3},
+  pages		= {83--89},
+  location	= {Fairfax, Virginia, USA},
+  doi		= {10.1145/1314418.1314431},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@InProceedings{	  freudenthal.ea:drbac:2002,
+  title		= {{dRBAC}: distributed role-based access control for dynamic
+		  coalition environments},
+  author	= {Freudenthal, E. and Pesin, T. and Port, L. and Keenan, E.
+		  and Karamcheti, V.},
+  journal	= {Distributed Computing Systems, 2002. Proceedings. 22nd
+		  International Conference on},
+  year		= 2002,
+  pages		= {411--420},
+  keywords	= {authorisation, distributed processing PKI identities,
+		  continuous monitoring, controlled activities, credential
+		  discovery, credential validation, dRBAC, distributed
+		  role-based access control, dynamic coalition environments,
+		  graph approach, long-lived interactions, multiple
+		  administrative domains, namespaces, policy roots, role
+		  delegation, scalable decentralized access control
+		  mechanism, scalable decentralized trust-management
+		  mechanism, scalar valued attributes, third-party
+		  delegation, transferred permissions, trust domains, trust
+		  relationships},
+  doi		= {10.1109/ICDCS.2002.1022279},
+  issn		= {1063-6927 },
+  abstract	= {distributed role-based access control (dRBAC) is a
+		  scalable, decentralized trust-management and access-control
+		  mechanism for systems that span multiple administrative
+		  domains. dRBAC utilizes PKI identities to define trust
+		  domains, roles to define controlled activities, and role
+		  delegation across domains to represent permissions to these
+		  activities. The mapping of controlled actions to roles
+		  enables their namespaces to serve as policy roots. dRBAC
+		  distinguishes itself from previous approaches by providing
+		  three features: (1) third-party delegation of roles from
+		  outside a domain's namespace, relying upon an explicit
+		  delegation of assignment; (2) modulation of transferred
+		  permissions using scalar valued attributes associated with
+		  roles; and (3) continuous monitoring of trust relationships
+		  over long-lived interactions. The paper describes the dRBAC
+		  model and its scalable implementation using a graph
+		  approach to credential discovery and validation.}
+}
+
+@Article{	  liu.ea:role-based:2004,
+  author	= {Duen-Ren Liu and Mei-Yu Wu and Shu-Teng Lee},
+  title		= {Role-based authorizations for workflow systems in support
+		  of task-based separation of duty},
+  journal	= {Journal of Systems and Software},
+  volume	= 73,
+  number	= 3,
+  year		= 2004,
+  pages		= {375--387},
+  doi		= {10.1016/S0164-1212(03)00175-4},
+  abstract	= {Role-based authorizations for assigning tasks of workflows
+		  to roles/users are crucial to security management in
+		  workflow management systems. The authorizations must
+		  enforce separation of duty (SoD) constraints to prevent
+		  fraud and errors. This work analyzes and defines several
+		  duty-conflict relationships among tasks, and designs
+		  authorization rules to enforce SoD constraints based on the
+		  analysis. A novel authorization model that incorporates
+		  authorization rules is then proposed to support the
+		  planning of assigning tasks to roles/users, and the
+		  run-time activation of tasks. Different from existing work,
+		  the proposed authorization model considers the AND/XOR
+		  split structures of workflows and execution dependency
+		  among tasks to enforce separation of duties in assigning
+		  tasks to roles/users. A prototype system is developed to
+		  realize the effectiveness of the proposed authorization
+		  model.}
+}
+
+@Booklet{	  nipkow.ea:isabelle-hol:2009,
+  title		= {{Isabelle's} Logic: {HOL}},
+  author	= {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+  year		= 2009,
+  misc		= {\url{http://isabelle.in.tum.de/library/HOL/}}
+}
+
+@InProceedings{	  garson.ea:security:2008,
+  author	= {Garson, Kathryn and Adams, Carlisle},
+  title		= {Security and privacy system architecture for an e-hospital
+		  environment},
+  booktitle	= {IDtrust '08: Proceedings of the 7th symposium on Identity
+		  and trust on the Internet},
+  year		= 2008,
+  isbn		= {978-1-60558-066-1},
+  pages		= {122--130},
+  location	= {Gaithersburg, Maryland},
+  doi		= {10.1145/1373290.1373306},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+@Article{	  kambourakis.ea:pki-based:2005,
+  author	= {G. Kambourakis and I. Maglogiannis and A. Rouskas},
+  title		= {PKI-based secure mobile access to electronic health
+		  services and data},
+  journal	= {Technology and Health Care Journal},
+  volume	= 13,
+  number	= 6,
+  year		= 2005,
+  issn		= {0928-7329},
+  pages		= {511--526},
+  publisher	= pub-ios,
+  address	= pub-ios:adr,
+  abstract	= {Recent research works examine the potential employment of
+		  public-key cryptography schemes in e-health environments.
+		  In such systems, where a Public Key Infrastructure (PKI) is
+		  established beforehand, Attribute Certificates (ACs) and
+		  public key enabled protocols like TLS, can provide the
+		  appropriate mechanisms to effectively support
+		  authentication, authorization and confidentiality services.
+		  In other words, mutual trust and secure communications
+		  between all the stakeholders, namely physicians, patients
+		  and e-health service providers, can be successfully
+		  established and maintained. Furthermore, as the recently
+		  introduced mobile devices with access to computer-based
+		  patient record systems are expanding, the need of
+		  physicians and nurses to interact increasingly with such
+		  systems arises. Considering public key infrastructure
+		  requirements for mobile online health networks, this paper
+		  discusses the potential use of Attribute Certificates (ACs)
+		  in an anticipated trust model. Typical trust interactions
+		  among doctors, patients and e-health providers are
+		  presented, indicating that resourceful security mechanisms
+		  and trust control can be obtained and implemented. The
+		  application of attribute certificates to support medical
+		  mobile service provision along with the utilization of the
+		  de-facto TLS protocol to offer competent confidentiality
+		  and authorization services is also presented and evaluated
+		  through experimentation, using both the 802.11 WLAN and
+		  General Packet Radio Service (GPRS) networks.}
+}
+
+@InProceedings{	  sahai.ea:fuzzy:2005,
+  author	= {Amit Sahai and Brent Waters},
+  title		= {Fuzzy Identity-Based Encryption},
+  year		= 2005,
+  pages		= {457--473},
+  doi		= {10.1007/11426639_27},
+  crossref	= {cramer:advances:2005},
+  abstract	= {We introduce a new type of Identity-Based Encryption (IBE)
+		  scheme that we call Fuzzy Identity-Based Encryption. In
+		  Fuzzy IBE we view an identity as set of descriptive
+		  attributes. A Fuzzy IBE scheme allows for a private key for
+		  an identity, ohgr, to decrypt a ciphertext encrypted with
+		  an identity, ohgr prime, if and only if the identities ohgr
+		  and ohgr prime are close to each other as measured by the
+		  ldquoset overlaprdquo distance metric. A Fuzzy IBE scheme
+		  can be applied to enable encryption using biometric inputs
+		  as identities; the error-tolerance property of a Fuzzy IBE
+		  scheme is precisely what allows for the use of biometric
+		  identities, which inherently will have some noise each time
+		  they are sampled. Additionally, we show that Fuzzy-IBE can
+		  be used for a type of application that we term
+		  ldquoattribute-based encryptionrdquo. In this paper we
+		  present two constructions of Fuzzy IBE schemes. Our
+		  constructions can be viewed as an Identity-Based Encryption
+		  of a message under several attributes that compose a
+		  (fuzzy) identity. Our IBE schemes are both error-tolerant
+		  and secure against collusion attacks. Additionally, our
+		  basic construction does not use random oracles. We prove
+		  the security of our schemes under the Selective-ID security
+		  model. }
+}
+
+@Proceedings{	  cramer:advances:2005,
+  editor	= {Ronald Cramer},
+  booktitle  = PROC # {International Conference on the Theory and Applications of
+		  Cryptographic Techniques (EUROCRYPT)},
+  location  = {Advances in Cryptology - EUROCRYPT 2005, 24th Annual
+		  International Conference on the Theory and Applications of
+		  Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005,
+		  Proceedings},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3494,
+  year		= 2005,
+  isbn		= {3-540-25910-4}
+}
+
+@InProceedings{	  goyal.ea:attribute-based:2006,
+  author	= {Vipul Goyal and Omkant Pandey and Amit Sahai and Brent
+		  Waters},
+  title		= {Attribute-based encryption for fine-grained access control
+		  of encrypted data},
+  booktitle	= {CCS '06: Proceedings of the 13th ACM conference on
+		  Computer and communications security},
+  year		= 2006,
+  isbn		= {1-59593-518-5},
+  pages		= {89--98},
+  location	= {Alexandria, Virginia, USA},
+  doi		= {10.1145/1180405.1180418},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {As more sensitive data is shared and stored by third-party
+		  sites on the Internet, there will be a need to encrypt data
+		  stored at these sites. One drawback of encrypting data, is
+		  that it can be selectively shared only at a coarse-grained
+		  level (i.e., giving another party your private key). We
+		  develop a new cryptosystem for fine-grained sharing of
+		  encrypted data that we call Key-Policy Attribute-Based
+		  Encryption (KP-ABE). In our cryptosystem, ciphertexts are
+		  labeled with sets of attributes and private keys are
+		  associated with access structures that control which
+		  ciphertexts a user is able to decrypt. We demonstrate the
+		  applicability of our construction to sharing of audit-log
+		  information and broadcast encryption. Our construction
+		  supports delegation of private keys which
+		  subsumesHierarchical Identity-Based Encryption (HIBE).}
+}
+
+@InProceedings{	  li.ea:privacy-aware:2009,
+  author	= {Jin Li and Kui Ren and Bo Zhu and Zhiguo Wan},
+  title		= {Privacy-aware Attribute-based Encryption with User
+		  Accountability},
+  booktitle	= {The 12th Information Security Conference (ISC'09)},
+  location	= {September 7-9, 2009, Pisa},
+  year		= 2009,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  abstract	= {As a new public key primitive, attribute-based encryption
+		  (ABE) is envisioned to be a promising tool for implementing
+		  fine-grained access control. To further address the concern
+		  of user access privacy, privacy-aware ABE schemes are being
+		  developed to achieve hidden access policy recently. For the
+		  purpose of secure access control, there is, how- ever,
+		  still one critical functionality missing in the existing
+		  ABE schemes, which is user accountability. Currently, no
+		  ABE scheme can completely prevent the problem of illegal
+		  key sharing among users. In this paper, we tackle this
+		  problem by firstly proposing the notion of accountable,
+		  anonymous, and ciphertext-policy ABE (CP-A3 BE, in short)
+		  and then giving out a concrete construction. We start by
+		  improving the state-of-the-art of anonymous CP-ABE to
+		  obtain shorter public parameters and ciphertext length. In
+		  the proposed CP-A3 BE construction, user accountability can
+		  be achieved in black-box model by embedding additional
+		  user-specific information into the attribute private key
+		  issued to that user, while still maintaining hidden access
+		  policy. The proposed constructions are provably secure.}
+}
+
+@InProceedings{	  bobba.ea:pbes:2009,
+  author	= {Rakesh Bobba and and Himanshu Khurana and Musab AlTurki
+		  and Farhana Ashraf},
+  title		= {PBES: a policy based encryption system with application to
+		  data sharing in the power grid},
+  booktitle	= {ASIACCS '09: Proceedings of the 4th International
+		  Symposium on Information, Computer, and Communications
+		  Security},
+  year		= 2009,
+  isbn		= {978-1-60558-394-5},
+  pages		= {262--275},
+  location	= {Sydney, Australia},
+  doi		= {10.1145/1533057.1533093},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {In distributed systems users need the ability to share
+		  sensitive content with multiple other recipients based on
+		  their ability to satisfy arbitrary policies. One such
+		  system is electricity grids where finegrained sensor data
+		  sharing holds the potential for increased reliability and
+		  efficiency. However, effective data sharing requires
+		  technical solutions that support flexible access policies,
+		  for example, sharing more data when the grid is unstable.
+		  In such systems, both the messages and policies are
+		  sensitive and, therefore, they need to kept be secret.
+		  Furthermore, to allow for such a system to be secure and
+		  usable in the presence of untrusted object stores and
+		  relays it must be resilient in the presence of active
+		  adversaries and provide efficient key management. While
+		  several of these properties have been studied in the past
+		  we address a new problem in the area of policy based
+		  encryption in that we develop a solution with all of these
+		  capabilities. We develop a Policy and Key Encapsulation
+		  Mechanism -- Data Encapsulation Mechanism (PKEM-DEM)
+		  encryption scheme that is a generic construction secure
+		  against adaptive chosen ciphertext attacks and develop a
+		  Policy Based Encryption System (PBES) using this scheme
+		  that provides these capabilities. We provide an
+		  implementation of PBES and measure its performance.}
+}
+
+@InProceedings{	  shanqing.ea:attribute-based:2008,
+  author	= {Guo Shanqing and Zeng Yingpei},
+  title		= {Attribute-based Signature Scheme},
+  doi		= {10.1109/ISA.2008.111},
+  booktitle	= {International Conference on Information Security and
+		  Assurance, 2008 (ISA 2008)},
+  year		= 2008,
+  pages		= {509--511},
+  month		= apr,
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  abstract	= {In real life, one requires signatures from people who
+		  satisfy certain criteria like that they should possess some
+		  specific attributes. For example, Alice wants a document to
+		  be signed by some employee in Bob's company. This employee
+		  must have certain attributes such as being part of the IT
+		  staff and at least a junior manager in the cryptography
+		  team or a senior manager in the biometrics team. In order
+		  to satisfy these kinds of needs, we defined a common
+		  Attribute-based signature scheme where the signing member
+		  has to have certain attributes or belong to a certain
+		  group, and we also proved our scheme to be secure.}
+}
+
+@Article{	  huang.ea:aspe:2009,
+  title		= {ASPE: attribute-based secure policy enforcement in
+		  vehicular ad hoc networks},
+  journal	= {Ad Hoc Networks},
+  volume	= 7,
+  number	= 8,
+  pages		= {1526--1535},
+  year		= 2009,
+  mynote		= {Privacy and Security in Wireless Sensor and Ad Hoc
+		  Networks},
+  issn		= {1570-8705},
+  doi		= {10.1016/j.adhoc.2009.04.011},
+  author	= {Dijiang Huang and Mayank Verma},
+  keywords	= {Security, Vehicular networks, Secure group communications,
+		  Key management, Attribute based encryption},
+  publisher	= pub-elsevier,
+  address	= pub-elsevier:adr,
+  abstract	= {Vehicular ad hoc networks (VANETs) are usually operated
+		  among vehicles moving at high speeds, and thus their
+		  communication relations can be changed frequently. In such
+		  a highly dynamic environment, establishing trust among
+		  vehicles is difficult. To solve this problem, we propose a
+		  flexible, secure and decentralized attribute based secure
+		  key management framework for VANETs. Our solution is based
+		  on attribute based encryption (ABE) to construct an
+		  attribute based security policy enforcement (ASPE)
+		  framework. ASPE considers various road situations as
+		  attributes. These attributes are used as encryption keys to
+		  secure the transmitted data. ASPE is flexible in that it
+		  can dynamically change encryption keys depending on the
+		  VANET situations. At the same time, ASPE naturally
+		  incorporates data access control policies on the
+		  transmitted data. ASPE provides an integrated solution to
+		  involve data access control, key management, security
+		  policy enforcement, and secure group formation in highly
+		  dynamic vehicular communication environments. Our
+		  performance evaluations show that ASPE is efficient and it
+		  can handle large amount of data encryption/decryption flows
+		  in VANETs.}
+}
+
+@InProceedings{	  weber:securing:2009,
+  author	= {Stefan G. Weber},
+  title		= {Securing First Response Coordination With Dynamic
+		  Attribute-Based Encryption},
+  booktitle	= {World Congress on Privacy, Security, Trust and the
+		  Management of e-Business (CONGRESS)},
+  year		= 2009,
+  pages		= {58--69},
+  isbn		= {978-0-7695-3805-1},
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  abstract	= {Every minute saved in emergency management processes can
+		  save additional lives of affected victims. Therefore, an
+		  effective coordination of the incident reactions of mobile
+		  first responders is very important, especially in the face
+		  of rapidly changing situations of large scale disasters.
+		  However, tactical communication and messaging between the
+		  headquarter and mobile first responders, initiated for
+		  coordination purposes, has to meet a strong security
+		  requirements: it must preserve confidentiality in order to
+		  prevent malicious third parties from disrupting the
+		  reactions. This paper presents concepts to support the
+		  secure coordination of mobile first responders by providing
+		  means for secure ubiquitous tactical communication. Our
+		  concept harnesses ciphertext-policy attribute-based
+		  encryption (CP-ABE) techniques. We extend current CP-ABE
+		  proposals by additionally taking into account dynamic
+		  factors: our proposed system is able to handle dynamic
+		  attributes, like current status of duty and location of
+		  mobile first responders, in a secure fashion, in order to
+		  support flexible specification of receiver groups of
+		  tactical messages, while end-to-end encryption in the
+		  messaging process is still satisfied.}
+}
+
+@InProceedings{	  cardoso:approaches:2006,
+  author	= {Jorge Cardoso},
+  title		= {Approaches to Compute Workflow Complexity},
+  booktitle	= {The Role of Business Processes in Service Oriented
+		  Architectures},
+  year		= 2006,
+  ee		= {http://drops.dagstuhl.de/opus/volltexte/2006/821},
+  crossref	= {leymann.ea:role:2006},
+  abstract	= {During the last 20 years, complexity has been an
+		  interesting topic that has been investigated in many fields
+		  of science, such as biology, neurology, software
+		  engineering, chemistry, psychology, and economy. A survey
+		  of the various approaches to understand complexity has lead
+		  sometimes to a measurable quantity with a rigorous but
+		  narrow definition and other times as merely an ad hoc
+		  label. In this paper we investigate the complexity concept
+		  to avoid a vague use of the term `complexity' in workflow
+		  designs. We present several complexity metrics that have
+		  been used for a number of years in adjacent fields of
+		  science and explain how they can be adapted and use to
+		  evaluate the complexity of workflows. }
+}
+
+@Proceedings{	  leymann.ea:role:2006,
+  editor	= {Frank Leymann and Wolfgang Reisig and Satish R. Thatte and
+		  Wil M. P. van der Aalst},
+  title		= {The Role of Business Processes in Service Oriented
+		  Architectures, 16.07. - 21.07.2006},
+  booktitle	= {The Role of Business Processes in Service Oriented
+		  Architectures},
+  publisher	= {Internationales Begegnungs- und Forschungszentrum fuer
+		  Informatik (IBFI), S chloss Dagstuhl, Germany},
+  series	= {Dagstuhl Seminar Proceedings},
+  volume	= 06291,
+  year		= 2006
+}
+
+@Article{	  parnas:stop:2007,
+  author	= {David Lorge Parnas},
+  title		= {Stop the numbers game},
+  journal	= j-cacm,
+  volume	= 50,
+  number	= 11,
+  year		= 2007,
+  issn		= {0001-0782},
+  pages		= {19--21},
+  doi		= {10.1145/1297797.1297815},
+  address	= pub-acm:adr,
+  publisher	= pub-acm
+}
+
+
+
+
+@InBook{	  gentry:ibe:2006,
+  author	= {Craig Gentry},
+  chapter		= {IBE (Identity-Based Encryption)},
+  title	= {Handbook of Information Security},
+  editor	= {Hossein Bidgoli},
+  volume	= 2,
+  isbn		= {0-471-64833-7},
+  publisher	= {John Wiley \& Sons},
+  pages		= {575--592},
+  month		= jan,
+  year		= 2006
+}
+
+@InProceedings{	  bethencourt.ea:ciphertext-policy:2007,
+  author	= {John Bethencourt and Amit Sahai and Brent Waters},
+  title		= {Ciphertext-Policy Attribute-Based Encryption},
+  booktitle	= {IEEE Symposium on Security and Privacy},
+  pages		= {321--334},
+  year		= 2007,
+  doi		= {10.1109/SP.2007.11},
+  abstract	= {In several distributed systems a user should only be able
+		  to access data if a user posses a certain set of
+		  credentials or attributes. Currently, the only method for
+		  enforcing such policies is to employ a trusted server to
+		  store the data and mediate access control. However, if any
+		  server storing the data is compromised, then the
+		  confidentiality of the data will be compromised. In this
+		  paper we present a system for realizing complex access
+		  control on encrypted data that we call ciphertext-policy
+		  attribute-based encryption. By using our techniques
+		  encrypted data can be kept confidential even if the storage
+		  server is untrusted; moreover, our methods are secure
+		  against collusion attacks. Previous attribute-based
+		  encryption systems used attributes to describe the
+		  encrypted data and built policies into user's keys; while
+		  in our system attributes are used to describe a user's
+		  credentials, and a party encrypting data determines a
+		  policy for who can decrypt. Thus, our methods are
+		  conceptually closer to traditional access control methods
+		  such as role-based access control (RBAC). In addition, we
+		  provide an implementation of our system and give
+		  performance measurements.},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr
+}
+
+@Article{	  karedla.ea:caching:1994,
+  author	= {Ramakrishna Karedla and J. Spencer Love and Bradley G.
+		  Wherry},
+  title		= {Caching strategies to improve disk system performance},
+  journal	= j-computer,
+  volume	= 27,
+  number	= 3,
+  issn		= {0018-9162},
+  year		= 1994,
+  pages		= {38--46},
+  doi		= {10.1109/2.268884},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  abstract	= {I/O subsystem manufacturers attempt to reduce latency by
+		  increasing disk rotation speeds, incorporating more
+		  intelligent disk scheduling algorithms, increasing I/O bus
+		  speed, using solid-state disks, and implementing caches at
+		  various places in the I/O stream. In this article, we
+		  examine the use of caching as a means to increase system
+		  response time and improve the data throughput of the disk
+		  subsystem. Caching can help to alleviate I/O subsystem
+		  bottlenecks caused by mechanical latencies. This article
+		  describes a caching strategy that offers the performance of
+		  caches twice its size. After explaining some basic caching
+		  issues, we examine some popular caching strategies and
+		  cache replacement algorithms, as well as the advantages and
+		  disadvantages of caching at different levels of the
+		  computer system hierarchy. Finally, we investigate the
+		  performance of three cache replacement algorithms: random
+		  replacement (RR), least recently used (LRU), and a
+		  frequency-based variation of LRU known as segmented LRU
+		  (SLRU). }
+}
+
+@InProceedings{	  megiddo.ea:arc:2003,
+  author	= {Nimrod Megiddo and Dharmendra S. Modha},
+  title		= {{ARC}: A Self-Tuning, Low Overhead Replacement Cache},
+  booktitle	= {FAST '03: Proceedings of the 2nd USENIX Conference on File
+		  and Storage Technologies},
+  year		= 2003,
+  pages		= {115--130},
+  location	= {San Francisco, CA},
+  publisher	= {\acs{usenix} Association},
+  address	= {Berkeley, CA, USA}
+}
+
+@InProceedings{	  chou.ea:evaluation:1985,
+  author	= {Hong-Tai Chou and David J. DeWitt},
+  title		= {An evaluation of buffer management strategies for
+		  relational database systems},
+  booktitle	= {VLDB '1985: Proceedings of the 11th international
+		  conference on Very Large Data Bases},
+  year		= 1985,
+  pages		= {127--141},
+  location	= {Stockholm, Sweden},
+  publisher	= {VLDB Endowment}
+}
+
+@InProceedings{	  yu.ea:fdac:2009,
+  author	= {Shucheng Yu and Kui Ren and Wenjing Lou},
+  title		= {{FDAC}: Toward fine-grained distributed data access
+		  control in wireless sensor networks},
+  booktitle	= PROC # { \acs{ieee} Conference on Computer
+                  Communications (INFOCOM)},
+  year		= 2009,
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  abstract	= {Distributed sensor data storage and retrieval has gained
+		  increasing popularity in recent years for supporting
+		  various applications. While distributed architecture enjoys
+		  a more robust and fault-tolerant wireless sensor network
+		  (WSN), such architecture also poses a number of security
+		  challenges especially when applied in mission-critical
+		  applications such as battle field and e-healthcare. First,
+		  as sensor data are stored and maintained by individual
+		  sensors and unattended sensors are easily subject to strong
+		  attacks such as physical compromise, it is significantly
+		  harder to ensure data security. Second, in many
+		  mission-critical applications, fine-grained data access
+		  control is a must as illegal access to the sensitive data
+		  may cause disastrous result and/or prohibited by the law.
+		  Last but not least, sensors usually are resource-scarce,
+		  which limits the direct adoption of expensive cryptographic
+		  primitives. To address the above challenges, we propose in
+		  this paper a distributed data access control scheme that is
+		  able to fulfill fine-grained access control over sensor
+		  data and is resilient against strong attacks such as sensor
+		  compromise and user colluding. The proposed scheme exploits
+		  a novel cryptographic primitive called attribute-based
+		  encryption (ABE), tailors, and adapts it for WSNs with
+		  respect to both performance and security requirements. The
+		  feasibility of the scheme is demonstrated by experiments on
+		  real sensor platforms. To our best knowledge, this paper is
+		  the first to realize distributed fine-grained data access
+		  control for WSNs.}
+}
+
+@InProceedings{	  traynor.ea:massive-scale:2008,
+  author	= {Patrick Traynor and Kevin R. B. Butler and William Enck
+		  and Patrick McDaniel},
+  title		= {Realizing Massive-Scale Conditional Access Systems Through
+		  Attribute-Based Cryptosystems},
+  booktitle	= PROC # { 15th Annual Network and Distributed System
+		  Security Symposium (NDSS 2008)},
+  year		= 2008,
+  abstract	= {The enormous growth in the diversity of content services
+		  such as IPtv has highlighted the inadequacy of the
+		  accompanying content security: existing security mechanisms
+		  scale poorly, require complex and often costly dedicated
+		  hardware, or fail to meet basic security requirements. New
+		  security methods are needed. In this paper, we explore the
+		  ability of attribute-based encryption (ABE) to meet the
+		  unique performance and security requirements of conditional
+		  access systems such as subscription radio and payper- view
+		  television. We show through empirical study that costs of
+		  ABE make its direct application inappropriate, but present
+		  constructions that mitigate its incumbent costs. We develop
+		  an extensive simulation that allows us to explore the
+		  performance of a number of virtual hardware configurations
+		  and construction parameters over workloads developed from
+		  real subscription and television audiences. These
+		  simulations show that we can securely deliver high quality
+		  content to viewerships of the highest rated shows being
+		  broadcast today, some in excess of 26,000,000 viewers. It
+		  is through these experiments that we expose the viability
+		  of not only ABE-based content delivery, but applicability
+		  of ABE systems to large-scale distributed systems.},
+  url		= {http://www.isoc.org/isoc/conferences/ndss/08/papers/06_realizing_massive-scale_conditional.pdf}
+		  ,
+  location	= {San Diego, California, USA},
+  month		= feb,
+  publisher	= {The Internet Society}
+}
+
+@Article{	  alpern.ea:defining:1985,
+  author	= {Bowen Alpern and Fred B. Schneider},
+  title		= {Defining Liveness},
+  journal	= j-ipl,
+  volume	= 21,
+  number	= 4,
+  year		= 1985,
+  pages		= {181--185}
+}
+
+@Article{	  lamport:proving:1977,
+  title		= {Proving the Correctness of Multiprocess Programs},
+  author	= {Leslie Lamport},
+  journal	= j-tse,
+  year		= 1977,
+  month		= {March},
+  volume	= {SE-3},
+  number	= 2,
+  pages		= {125--143},
+  abstract	= {The inductive assertion method is generalized to permit
+		  formal, machine-verifiable proofs of correctness for
+		  multiprocess programs. Individual processes are represented
+		  by ordinary flowcharts, and no special synchronization
+		  mechanisms are assumed, so the method can be applied to a
+		  large class of multiprocess programs. A correctness proof
+		  can be designed together with the program by a hierarchical
+		  process of stepwise refinement, making the method practical
+		  for larger programs. The resulting proofs tend to be
+		  natural formalizations of the informal proofs that are now
+		  used.},
+  keywords	= {null Assertions, concufrent programming, correctness,
+		  multiprocessing, synchronization},
+  doi		= {10.1109/TSE.1977.229904},
+  issn		= {0098-5589}
+}
+
+@InProceedings{	  goodenough.ea:toward:1975,
+  author	= {John B. Goodenough and Susan L. Gerhart},
+  title		= {Toward a theory of test data selection},
+  booktitle	= PROC # { the international conference on Reliable
+		  software},
+  year		= 1975,
+  pages		= {493--510},
+  url		= {http://portal.acm.org/citation.cfm?id=808473&dl=ACM&coll=GUIDE#}
+		  ,
+  location	= {Los Angeles, California},
+  abstract	= {This paper examines the theoretical and practical role of
+		  testing in software development. We prove a fundamental
+		  theorem showing that properly structured tests are capable
+		  of demonstrating the absence of errors in a program. The
+		  theorem's proof hinges on our definition of test
+		  reliability and validity, but its practical utility hinges
+		  on being able to show when a test is actually reliable. We
+		  explain what makes tests unreliable (for example, we show
+		  by example why testing all program statements, predicates,
+		  or paths is not usually sufficient to insure test
+		  reliability), and we outline a possible approach to
+		  developing reliable tests. We also show how the analysis
+		  required to define reliable tests can help in checking a
+		  program's design and specifications as well as in
+		  preventing and detecting implementation errors. },
+  acknowledgement={none}
+}
+
+@InCollection{	  aczel:introduction:1977,
+  author	= {Peter Aczel},
+  title		= {An Introduction to Inductive Definitions},
+  booktitle	= {Handbook of Mathematical Logic},
+  editor	= {Jon Barwise},
+  series	= {Studies in Logic and the Foundations of Mathematics},
+  volume	= 90,
+  chapter	= {C.7},
+  pages		= {739--782},
+  publisher	= {North-Holland},
+  address	= {Amsterdam},
+  year		= 1977
+}
+
+@InProceedings{	  cousot.ea:abstract:1977,
+  author	= {Patrick Cousot and Radhia Cousot},
+  title		= {Abstract interpretation: a unified lattice model for
+		  static analysis of programs by construction or
+		  approximation of fixpoints},
+  booktitle	= PROC # { the 4th ACM SIGACT-SIGPLAN symposium on
+		  Principles of programming languages},
+  year		= 1977,
+  pages		= {238--252},
+  location	= {Los Angeles, California},
+  doi		= {10.1145/512950.512973},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none}
+}
+
+@Article{	  cardelli.ea:understanding:1985,
+  author	= {Luca Cardelli and Peter Wegner},
+  title		= {On understanding types, data abstraction, and
+		  polymorphism},
+  journal	= {ACM Computing Surveys},
+  volume	= 17,
+  number	= 4,
+  year		= 1985,
+  issn		= {0360-0300},
+  acknowledgement={none},
+  pages		= {471--523},
+  doi		= {10.1145/6041.6042},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Our objective is to understand the notion of type in
+		  programming languages, present a model of typed,
+		  polymorphic programming languages that reflects recent
+		  research in type theory, and examine the relevance of
+		  recent research to the design of practical programming
+		  languages. Object-oriented languages provide both a
+		  framework and a motivation for exploring the interaction
+		  among the concepts of type, data abstraction, and
+		  polymorphism, since they extend the notion of type to data
+		  abstraction and since type inheritance is an important form
+		  of polymorphism. We develop a &lgr;-calculus-based model
+		  for type systems that allows us to explore these
+		  interactions in a simple setting, unencumbered by
+		  complexities of production programming languages. The
+		  evolution of languages from untyped universes to
+		  monomorphic and then polymorphic type systems is reviewed.
+		  Mechanisms for polymorphism such as overloading, coercion,
+		  subtyping, and parameterization are examined. A unifying
+		  framework for polymorphic type systems is developed in
+		  terms of the typed &lgr;-calculus augmented to include
+		  binding of types by quantification as well as binding of
+		  values by abstraction. The typed &lgr;-calculus is
+		  augmented by universal quantification to model generic
+		  functions with type parameters, existential quantification
+		  and packaging (information hiding) to model abstract data
+		  types, and bounded quantification to model subtypes and
+		  type inheritance. In this way we obtain a simple and
+		  precise characterization of a powerful type system that
+		  includes abstract data types, parametric polymorphism, and
+		  multiple inheritance in a single consistent framework. The
+		  mechanisms for type checking for the augmented
+		  &lgr;-calculus are discussed. The augmented typed
+		  &lgr;-calculus is used as a programming language for a
+		  variety of illustrative examples. We christen this language
+		  Fun because fun instead of &lgr; is the functional
+		  abstraction keyword and because it is pleasant to deal
+		  with. Fun is mathematically simple and can serve as a basis
+		  for the design and implementation of real programming
+		  languages with type facilities that are more powerful and
+		  expressive than those of existing programming languages. In
+		  afsyped object-oriented languages. }
+}
+
+@InProceedings{	  wadler:listlessness:1985,
+  author	= {Philip Wadler},
+  title		= {Listlessness is better than laziness II: composing
+		  listless functions},
+  booktitle	= {on Programs as data objects},
+  year		= 1985,
+  isbn		= {0-387-16446-4},
+  pages		= {282--305},
+  location	= {Copenhagen, Denmark},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={none}
+}
+
+@InProceedings{	  clement.ea:simple:1986,
+  author	= {Dominique Cl\'ement and Thierry Despeyroux and Gilles Kahn
+		  and Jo\"elle Despeyroux},
+  title		= {A simple applicative language: {mini-ML}},
+  booktitle	= {LFP '86: Proceedings of the 1986 ACM conference on LISP
+		  and functional programming},
+  year		= 1986,
+  isbn		= {0-89791-200-4},
+  pages		= {13--27},
+  location	= {Cambridge, Massachusetts, United States},
+  doi		= {10.1145/319838.319847},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none}
+}
+
+@InProceedings{	  hamlet:theoretical:1989,
+  author	= {R. Hamlet},
+  title		= {Theoretical comparison of testing methods},
+  booktitle	= PROC # { the ACM SIGSOFT '89 third symposium on
+		  Software testing, analysis, and verification},
+  year		= 1989,
+  isbn		= {0-89791-342-6},
+  pages		= {28--37},
+  location	= {Key West, Florida, United States},
+  doi		= {10.1145/75308.75313},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none}
+}
+
+@Article{	  frankl.ea:applicable:1988,
+  author	= {P. G. Frankl and E. J. Weyuker},
+  title		= {An Applicable Family of Data Flow Testing Criteria},
+  journal	= j-ieee-tse,
+  volume	= 14,
+  number	= 10,
+  year		= 1988,
+  month		= oct,
+  issn		= {0098-5589},
+  pages		= {1483--1498},
+  doi		= {http://dx.doi.org/10.1109/32.6194},
+  publisher	= pub-ieee,
+  abstract	= {he authors extend the definitions of the previously
+		  introduced family of data flow testing criteria to apply to
+		  programs written in a large subset of Pascal. They then
+		  define a family of adequacy criteria called feasible data
+		  flow testing criteria, which are derived from the data-flow
+		  testing criteria. The feasible data flow testing criteria
+		  circumvent the problem of nonapplicability of the data flow
+		  testing criteria by requiring the test data to exercise
+		  only those definition-use associations which are
+		  executable. It is shown that there are significant
+		  differences between the relationships among the data flow
+		  testing criteria and the relationships among the feasible
+		  data flow testing criteria. The authors discuss a
+		  generalized notion of the executability of a path through a
+		  program unit. A script of a testing session using their
+		  data flow testing tool, ASSET, is included.},
+  acknowledgement={none}
+}
+
+@InProceedings{	  teo.ea:use:1988,
+  author	= {Ghee S. Teo and M\'{\i}che{\'a}l Mac an Airchinnigh},
+  title		= {The Use of VDM in the Specification of Chinese
+		  Characters.},
+  booktitle	= {VDM Europe},
+  year		= 1988,
+  pages		= {476--499},
+  crossref	= {bloomfield.ea:vdm:1988},
+  acknowledgement={none}
+}
+
+@Proceedings{	  bloomfield.ea:vdm:1988,
+  editor	= {Robin E. Bloomfield and Lynn S. Marshall and Roger B.
+		  Jones},
+  title		= {VDM '88, VDM - The Way Ahead, 2nd VDM-Europe Symposium,
+		  Dublin, Ireland, September 11-16, 1988, Proceedings},
+  booktitle	= {VDM Europe},
+  publisher	= pub-springer,
+  series	= lncs,
+  volume	= 328,
+  year		= 1988,
+  isbn		= {3-540-50214-9},
+  acknowledgement={none},
+  bibkey	= {bloomfield.ea:vdm:1988}
+}
+
+@InProceedings{	  cook.ea:inheritance:1990,
+  author	= {William R. Cook and Walter Hill and Peter S. Canning},
+  title		= {Inheritance is not subtyping},
+  booktitle	= {POPL '90: Proceedings of the 17th ACM SIGPLAN-SIGACT
+		  symposium on Principles of programming languages},
+  year		= 1990,
+  isbn		= {0-89791-343-4},
+  pages		= {125--135},
+  location	= {San Francisco, California, United States},
+  doi		= {10.1145/96709.96721},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  abstract	= {In typed object-oriented languages the subtype relation is
+		  typically based on the inheritance hierarchy. This
+		  approach, however, leads either to insecure type-systems or
+		  to restrictions on inheritance that make it less flexible
+		  than untyped Smalltalk inheritance. We present a new typed
+		  model of inheritance that allows more of the flexibility of
+		  Smalltalk inheritance within a statically-typed system.
+		  Significant features of our analysis are the introduction
+		  of polymorphism into the typing of inheritance and the
+		  uniform application of inheritance to objects, classes and
+		  types. The resulting notion of type inheritance allows us
+		  to show that the type of an inherited object is an
+		  inherited type but not always a subtype. },
+  bibkey	= {cook.ea:inheritance:1990}
+}
+
+@Article{	  lynch.ea:forward:1996,
+  author	= {Nancy Lynch and Frits Vaandrager},
+  title		= {Forward and backward simulations II.: timing-based
+		  systems},
+  journal	= {Inf. Comput.},
+  volume	= 128,
+  number	= 1,
+  year		= 1996,
+  issn		= {0890-5401},
+  pages		= {1--25},
+  doi		= {10.1006/inco.1996.0060},
+  publisher	= {Academic Press, Inc.},
+  acknowledgement={none},
+  bibkey	= {lynch.ea:forward:1996}
+}
+
+@Article{	  lamport.ea:should:1999,
+  author	= {Leslie Lamport and Lawrence C. Paulson},
+  title		= {Should your specification language be typed.},
+  journal	= {ACM Trans. Program. Lang. Syst.},
+  volume	= 21,
+  number	= 3,
+  year		= 1999,
+  acknowledgement={none},
+  pages		= {502--526},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  issn		= {0164-0925},
+  doi		= {10.1145/319301.319317}
+}
+
+@InProceedings{	  muller.ea:formal:1997,
+  title		= {Formal Specification Techniques for Object-Oriented
+		  Programs },
+  author	= {Peter M{\"u}ller and Arnd Poetzsch-Heffter },
+  editor	= {Jarke, M. and Pasedach, K. and Pohl, K. },
+  booktitle	= {Informatik 97: Informatik als Innovationsmotor },
+  series	= {Informatik Aktuell },
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  acknowledgement={none},
+  year		= 1997,
+  abstract	= {Specification techniques for object-oriented programs
+		  relate the operational world of programs to the declarative
+		  world of specifications. We present a formal foundation of
+		  interface specification languages. Based on the formal
+		  foundation, we develop new specification techniques to
+		  describe functional behavior, invariants, and side-effects.
+		  Furthermore, we discuss the influence of program extensions
+		  on program correctness.}
+}
+
+@Article{	  wolper:meaning:1997,
+  author	= {Pierre Wolper},
+  title		= {The Meaning of ``Formal'': From Weak to Strong Formal
+		  Methods.},
+  journal	= j-sttt,
+  volume	= 1,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  number	= {1-2},
+  year		= 1997,
+  pages		= {6--8},
+  doi		= {10.1007/s100090050002},
+  acknowledgement={none}
+}
+
+@TechReport{	  aredo.ea:towards:1999,
+  title		= {Towards a formalization of {UML} Class Structure in
+		  {PVS}},
+  author	= {Demissie B. Aredo and I. Traore and K. St{\o}len},
+  institution	= {Department of Informatics, University of Oslo},
+  year		= 1999,
+  month		= aug,
+  number	= 272,
+  acknowledgement={none}
+}
+
+@Book{		  derrick.ea:refinement:2001,
+  author	= {John Derrick and Eerke Boiten},
+  title		= {Refinement in {Z} and {Object-Z}},
+  library	= {ETH-BIB},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  isbn		= {1-85233-245-X},
+  url		= {http://www.cs.kent.ac.uk/people/staff/jd1/books/refine/},
+  year		= 2001,
+  acknowledgement={none},
+  bibkey	= {derrick.ea:refinement:2001}
+}
+
+@TechReport{	  boer.ea:towards:2003,
+  author	= {Frank S. de Boer and Cees Pierik},
+  year		= 2003,
+  title		= {Towards an environment for the verification of annotated
+		  object-oriented programs},
+  number	= {UU-CS-2003-002},
+  institution	= {Institute of Information and Computing Sciences, Utrecht
+		  University},
+  acknowledgement={none}
+}
+
+@Article{	  dybjer.ea:verifying:2004,
+  author	= {Peter Dybjer and Qiao Haiyana and Makoto Takeyama},
+  booktitle	= {Third International Conference on Quality Software: QSIC
+		  2003},
+  title		= {Verifying Haskell programs by combining testing, model
+		  checking and interactive theorem proving},
+  journal	= {Information and Software Technology},
+  year		= 2004,
+  number	= 15,
+  volume	= 46,
+  pages		= {1011--1025},
+  doi		= {10.1016/j.infsof.2004.07.002},
+  abstract	= {We propose a program verification method that combines
+		  random testing, model checking and interactive theorem
+		  proving. Testing and model checking are used for debugging
+		  programs and specifications before a costly interactive
+		  proof attempt. During proof development, testing and model
+		  checking quickly eliminate false conjectures and generate
+		  counterexamples which help to correct them. With an
+		  interactive theorem prover we also ensure the correctness
+		  of the reduction of a top level problem to subproblems that
+		  can be tested or proved. We demonstrate the method using
+		  our random testing tool and binary decision diagrams-based
+		  (BDDs) tautology checker, which are added to the Agda/Alfa
+		  interactive proof assistant for dependent type theory. In
+		  particular we apply our techniques to the verification of
+		  Haskell programs. The first example verifies the BDD
+		  checker itself by testing its components. The second uses
+		  the tautology checker to verify bitonic sort together with
+		  a proof that the reduction of the problem to the checked
+		  form is correct.},
+  acknowledgement={none}
+}
+
+@PhDThesis{	  kopylov:type:2004,
+  author	= {Alexei Pavlovich Kopylov},
+  title		= {Type Theoretical Foundations for Data Structures, Classes,
+		  and Objects},
+  school	= {Cornell University},
+  year		= 2004,
+  abstract	= {In this thesis we explore the question of how to represent
+		  programming data structures in a constructive type theory.
+		  The basic data structures in programing languages are
+		  records and objects. Most known papers treat such data
+		  structure as primitive. That is, they add new primitive
+		  type constructors and sup- porting axioms for records and
+		  objects. This approach is not satisfactory. First of all it
+		  complicates a type theory a lot. Second, the validity of
+		  the new axioms is not easily established. As we will see
+		  the naive choice of axioms can lead to contradiction even
+		  in the simplest cases. We will show that records and
+		  objects can be defined in a powerful enough type theory. We
+		  will also show how to use these type constructors to define
+		  abstract data structure. },
+  acknowledgement={none},
+  month		= jan
+}
+
+@InProceedings{	  kyas.ea:message:2004,
+  author	= {Marcel Kyas and Frank S. de Boer},
+  title		= {On Message Specification in {OCL}},
+  booktitle	= {Compositional Verification in UML},
+  year		= 2004,
+  editor	= {Frank S. de Boer and Marcello Bonsangue},
+  acknowledgement={none},
+  series	= entcs,
+  volume	= 101,
+  pages		= {73--93},
+  publisher	= elsevier,
+  address	= elsevier:adr,
+  abstract	= {The object constraint language (OCL) is the established
+		  language for specifying of properties of objects and object
+		  structures. Recently an extension of OCL has been proposed
+		  for the specification of messages sent between objects. In
+		  this paper we present a generalization of this extension
+		  which allows addition- ally to specify causality
+		  constraints. From a pragmatic point of view, such causality
+		  constraints are needed to express, for example, that each
+		  acknowledgment must be preceded by a matching request,
+		  which is frequently required by communication protocols.
+		  Our generalization is based on the introduction of
+		  histories into OCL. Histories describe the external
+		  behavior of objects and groups of objects. Moreover, to
+		  reason compositionally about the behavior of a complex
+		  system we distinguish between local specifications of a
+		  single object and global specifications describing the
+		  interaction between objects. These two types of
+		  specifications are expressed in syntactically difierent
+		  dialects of OCL. Our notion of compositionality, which is
+		  formalized in this paper by a compatibility predicate on
+		  histories, allows the verification of models during the
+		  early stages of a design. }
+}
+
+@InProceedings{	  kyas.ea:extended:2004,
+  author	= {Marcel Kyas and Harald Fecher},
+  title		= {An Extended Type System for {OCL} supporting Templates and
+		  Transformations},
+  booktitle	= {Formal Methods for Open Object-Based Distributed Systems,
+		  7th {IFIP} {WG} 6.1 International Conference, {FMOODS}
+		  2005, Athens, Greece, June 15-17, 2005, Proceedings},
+  acknowledgement={none},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  year		= 2004,
+  volume	= 3535,
+  editor	= {Martin Steffen and Gianluigi Zavattaro},
+  isbn		= {3-540-26181-8},
+  pages		= {83--98},
+  series	= llncs,
+  doi		= {10.1007/11494881_6}
+}
+
+@InProceedings{	  giese.ea:simplifying:2005,
+  author	= {Martin Giese and Daniel Larsson},
+  title		= {Simplifying Transformations of {OCL} Constraints},
+  booktitle	= {Proceedings, Model Driven Engineering Languages and
+		  Systems (MoDELS) Conference 2005, Montego Bay, Jamaica},
+  editor	= {Lionel Briand and Clay Williams},
+  pages		= {309--323},
+  volume	= 3713,
+  acknowledgement={none},
+  month		= oct,
+  series	= lncs,
+  year		= 2005
+}
+
+@InCollection{	  okeefe:improving:2006,
+  paddress	= {Heidelberg},
+  address	= pub-springer:adr,
+  author	= {Greg O'Keefe},
+  booktitle	= {{MoDELS} 2006: Model Driven Engineering Languages and
+		  Systems},
+  language	= {USenglish},
+  publisher	= pub-springer,
+  acknowledgement={none},
+  series	= lncs,
+  doi		= {10.1007/11880240_4},
+  number	= 4199,
+  year		= 2006,
+  pages		= {42--56},
+  editor	= {Oscar Nierstrasz and Jon Whittle and David Harel and
+		  Gianna Reggio},
+  title		= {Improving the Definition of {UML}},
+  abstract	= {The literature on formal semantics for UML is huge and
+		  growing rapidly. Most contributions open with a brief
+		  remark motivating the work, then quickly move on to the
+		  technical detail. How do we decide whether more rigorous
+		  semantics are needed? Do we currently have an adequate
+		  definition of the syntax? How do we evaluate proposals to
+		  improve the definition? We provide criteria by which these
+		  and other questions can be answered. The growing role of
+		  UML is examined. We compare formal language definition
+		  techniques with those currently used in the definition of
+		  UML. We study this definition for both its content and
+		  form, and conclude that improvements are required. Finally,
+		  we briefly survey the UML formalisation literature,
+		  applying our criteria to determine which of the existing
+		  approaches show the most potential.}
+}
+
+@TechReport{	  wasserrab.ea:operational:2005,
+  author	= {Daniel Wasserrab and Tobias Nipkow and Gregor Snelting and
+		  Frank Tip},
+  title		= {An Operational Semantics and Type Safety Proof for
+		  {\Cpp}-Like Multiple Inheritance},
+  institution	= {IBM Yorktown Heights},
+  number	= {RC 23709},
+  month		= aug,
+  year		= 2005,
+  abstract	= {We present, for the first time, an operational semantics
+		  and a type system for a \Cpp-like object-oriented language
+		  with both shared and repeated multiple inheritance,
+		  together with a machine-checked proof of type safety. The
+		  formalization uncovered several subtle ambiguities in \Cpp,
+		  which \Cpp compilers resolve by ad-hoc means or which even
+		  result in uncontrolled run-time errors. The semantics is
+		  formalized in Isabelle/HOL.},
+  acknowledgement={none}
+}
+
+@Unpublished{	  crane.ea:class:2006,
+  author	= {Michelle L. Crane and Juergen Dingel and Zinovy Diskin},
+  title		= {Class Diagrams: Abstract Syntax and Mapping to System
+		  Model},
+  note		= {Version 1.7.4},
+  url		= {http://www.cs.queensu.ca/~stl/internal/uml2/documents.htm}
+		  ,
+  pdf		= {papers/2006/crane.ea-class-2006.pdf},
+  acknowledgement={none},
+  year		= 2006
+}
+
+@Article{	  henning:rise:2006,
+  author	= {Michi Henning},
+  title		= {The rise and fall of {CORBA}},
+  journal	= {Queue},
+  volume	= 4,
+  number	= 5,
+  year		= 2006,
+  issn		= {1542-7730},
+  pages		= {28--34},
+  doi		= {10.1145/1142031.1142044},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  abstract	= {Depending on exactly when one starts counting, CORBA is
+		  about 10-15 years old. During its lifetime, CORBA has moved
+		  from being a bleeding-edge technology for early adopters,
+		  to being a popular middleware, to being a niche technology
+		  that exists in relative obscurity. It is instructive to
+		  examine why CORBA---despite once being heralded as the
+		  {\^a}next-generation technology for e-commerce---suffered
+		  this fate. CORBA{\^a}s history is one that the computing
+		  industry has seen many times, and it seems likely that
+		  current middleware efforts, specifically Web services, will
+		  reenact a similar history.}
+}
+
+@InProceedings{	  briggs.ea:effective:1994,
+  author	= {Preston Briggs and Keith D. Cooper},
+  title		= {Effective partial redundancy elimination},
+  booktitle	= PROC # { the ACM SIGPLAN 1994 conference on
+		  Programming language design and implementation},
+  year		= 1994,
+  isbn		= {0-89791-662-X},
+  pages		= {159--170},
+  location	= {Orlando, Florida, United States},
+  doi		= {10.1145/178243.178257},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {briggs.ea:effective:1994},
+  abstract	= {Partial redundancy elimination is a code optimization with
+		  a long history of literature and implementation. In
+		  practice, its effectiveness depends on issues of naming and
+		  code shape. This paper shows that a combination of global
+		  reassociation and global value numbering can increase the
+		  effectiveness of partial redundancy elimina- tion. By
+		  imposing a discipline on the choice of names and the shape
+		  of expressions, we are able to expose more redundancies, As
+		  part of the work, we introduce a new algorithm for global
+		  reassociation of expressions. It uses global in- formation
+		  to reorder expressions, creating opportunities for other
+		  optimization. The new algorithm generalizes earlier work
+		  that ordered FORTRAN array address ex- pressions to improve
+		  optimization.}
+}
+
+@Article{	  binder:design:1994,
+  author	= {Robert V. Binder},
+  title		= {Design for testability in object-oriented systems},
+  journal	= j-cacm,
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  volume	= 37,
+  number	= 9,
+  pages		= {87--101},
+  month		= sep,
+  year		= 1994,
+  issn		= {0001-0782},
+  acknowledgement={none},
+  keywords	= {design; reliability},
+  bibkey	= {binder:design:1994}
+}
+
+@InProceedings{	  bernot.ea:theory:1997,
+  author	= {Gilles Bernot and Laurent Bouaziz and Pascale {Le Gall}},
+  title		= {A theory of probabilistic functional testing},
+  booktitle	= PROC # { the 19th international conference on
+		  Software engineering},
+  year		= 1997,
+  isbn		= {0-89791-914-9},
+  pages		= {216--226},
+  pdf		= {papers/1997/p216-bernot.pdf},
+  location	= {Boston, Massachusetts, United States},
+  doi		= {10.1145/253228.253273},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none}
+}
+
+@InProceedings{	  ntafos:random:1998,
+  author	= {Simeon Ntafos},
+  title		= {On random and partition testing},
+  booktitle	= PROC # { ACM SIGSOFT international symposium on
+		  Software testing and analysis},
+  year		= 1998,
+  isbn		= {0-89791-971-8},
+  pages		= {42--48},
+  location	= {Clearwater Beach, Florida, United States},
+  doi		= {10.1145/271771.271785},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {ntafos:random:1998}
+}
+
+@InProceedings{	  hackett.ea:modular:2006,
+  author	= {Brian Hackett and Manuvir Das and Daniel Wang and Zhe
+		  Yang},
+  title		= {Modular checking for buffer overflows in the large},
+  booktitle	= {ICSE '06: Proceeding of the 28th international conference
+		  on Software engineering},
+  year		= 2006,
+  acknowledgement={none},
+  isbn		= {1-59593-375-1},
+  pages		= {232--241},
+  location	= {Shanghai, China},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  doi		= {10.1145/1134285.1134319}
+}
+
+@InProceedings{	  biere.ea:sat-model-checking:1999,
+  author	= {A. Biere and A. Cimatti and E. M. Clarke and M. Fujita and
+		  Y. Zhu},
+  title		= {Symbolic model checking using SAT procedures instead of
+		  {BDDs}},
+  booktitle	= PROC # { the 36th ACM/IEEE conference on Design
+		  automation conference},
+  year		= 1999,
+  isbn		= {1-58133-109-7},
+  pages		= {317--320},
+  location	= {New Orleans, Louisiana, United States},
+  doi		= {10.1145/309847.309942},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {biere.ea:sat-model-checking:1999}
+}
+
+@Article{	  france:problem-oriented:34-10,
+  author	= {Robert France},
+  title		= {A problem-oriented analysis of basic {UML} static
+		  requirements modeling concepts},
+  journal	= {ACM SIG-PLAN Notices},
+  volume	= 34,
+  number	= 10,
+  pages		= {57--69},
+  year		= 1999,
+  abstract	= {The Unified Modeling Language (UML) is a standard modeling
+		  language in which some of the best object-oriented (OO)
+		  modeling experiences are embedded. In this paper we
+		  illustrate the role formal specification techniques can
+		  play in developing a precise semantics for the UML. We
+		  present a precise characterization of requirements-level
+		  (problem-oriented) Class Diagrams and outline how the
+		  characterization can be used to semantically analyze
+		  requirements Class Diagrams.},
+  acknowledgement={none},
+  bibkey	= {france:problem-oriented:34-10}
+}
+
+@InProceedings{	  claessen.ea:quickcheck:2000,
+  author	= {Koen Claessen and John Hughes},
+  title		= {{QuickCheck}: a lightweight tool for random testing of
+		  {Haskell} programs},
+  booktitle	= PROC # { the fifth ACM SIGPLAN international
+		  conference on Functional programming},
+  year		= 2000,
+  isbn		= {1-58113-202-6},
+  pages		= {268--279},
+  doi		= {10.1145/351240.351266},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Quick Check is a tool which aids the Haskell programmer in
+		  formulating and testing properties of programs. Properties
+		  are described as Haskell functions, and can be
+		  automatically tested on random input, but it is also
+		  possible to define custom test data generators. We present
+		  a number of case studies, in which the tool was
+		  successfully used, and also point out some pitfalls to
+		  avoid. Random testing is especially suitable for functional
+		  programs because properties can be stated at a fine grain.
+		  When a function is built from separately tested components,
+		  then random testing suffices to obtain good coverage of the
+		  definition under test. },
+  acknowledgement={none},
+  bibkey	= {claessen.ea:quickcheck:2000}
+}
+
+@Article{	  kozen:hoare:2000,
+  author	= {Dexter Kozen},
+  title		= {On Hoare logic and Kleene algebra with tests},
+  journal	= {ACM Transactions on Computational Logic},
+  volume	= 1,
+  number	= 1,
+  year		= 2000,
+  issn		= {1529-3785},
+  pages		= {60--76},
+  doi		= {10.1145/343369.343378},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {We show that Kleene algebra with tests (KAT) subsumes
+		  propositional Hoare logic (PHL). Thus the specialized
+		  syntax and deductive apparatus of Hoare logic are
+		  inessential and can be replaced by simple equational
+		  reasoning. In addition, we show that all relationally valid
+		  inference rules are derivable in KAT and that deciding the
+		  relational validity of such rules is PSPACE-complete. },
+  acknowledgement={none},
+  bibkey	= {kozen:hoare:2000}
+}
+
+@InProceedings{	  chen.ea:semi-proving:2002,
+  author	= {T. Y. Chen and T. H. Tse and Zhiquan Zhou},
+  title		= {Semi-proving: an integrated method based on global
+		  symbolic evaluation and metamorphic testing},
+  booktitle	= PROC # { the international symposium on Software
+		  testing and analysis},
+  year		= 2002,
+  isbn		= {1-58113-562-9},
+  pages		= {191--195},
+  location	= {Roma, Italy},
+  doi		= {10.1145/566172.566202},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {chen.ea:semi-proving:2002}
+}
+
+@InProceedings{	  naumovich.ea:static:2004,
+  author	= {Gleb Naumovich and Paolina Centonze},
+  title		= {Static Analysis of Role-Based Access Control in {J2EE}
+		  Applications},
+  abstract	= {This work describes a new technique for analysis of Java
+		  2, Enterprise Edition (J2EE) applications. In such
+		  applications, Enterprise Java Beans (EJBs) are commonly
+		  used to encapsulate the core computations performed on Web
+		  servers. Access to EJBs is protected by application
+		  servers, according to role-based access control policies
+		  that may be created either at development or deployment
+		  time. These policies may prohibit some types of users from
+		  accessing specific EJB methods. We present a static
+		  technique for analyzing J2EE access control policies with
+		  respect to security-sensitive fields of EJBs and other
+		  server-side objects. Our technique uses points-to analysis
+		  to determine which object fields are accessed by which EJB
+		  methods, directly or indirectly. Based on this information,
+		  J2EE access control policies are analyzed to identify
+		  potential inconsistencies that may lead to security holes.
+		  },
+  volume	= 29,
+  number	= 5,
+  month		= sep,
+  year		= 2004,
+  booktitle	= {TAV-WEB Proceedings},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  acknowledgement={none},
+  bibkey	= {naumovich.ea:static:2004}
+}
+
+@InProceedings{	  altenhofen.ea:high-level:2005,
+  author	= {Michael Altenhofen and Egon B{\"o}rger and Jens Lemcke},
+  title		= {A High-Level Specification for Mediators(Virtual
+		  Providers)},
+  booktitle	= {Business Process Management Workshops},
+  year		= 2005,
+  pages		= {116--129},
+  doi		= {10.1007/11678564_11},
+  crossref	= {bussler.ea:business:2006}
+}
+
+@Proceedings{	  bussler.ea:business:2006,
+  editor	= {Christoph Bussler and Armin Haller},
+  title		= {Business Process Management Workshops, BPM 2005
+		  International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM,
+		  BPS, Nancy, France, September 5, 2005, Revised Selected
+		  Papers},
+  booktitle	= {Business Process Management Workshops},
+  volume	= 3812,
+  year		= 2006,
+  isbn		= {3-540-32595-6}
+}
+
+@Article{	  grieskamp.ea:generating:2002,
+  author	= {Wolfgang Grieskamp and Yuri Gurevich and Wolfram Schulte
+		  and Margus Veanes},
+  title		= {Generating finite state machines from abstract state
+		  machines},
+  journal	= {SIGSOFT Softw. Eng. Notes},
+  volume	= 27,
+  number	= 4,
+  year		= 2002,
+  issn		= {0163-5948},
+  pages		= {112--122},
+  doi		= {10.1145/566171.566190},
+  publisher	= pub-acm,
+  address	= pub-acm:adr
+}
+
+@InProceedings{	  paulson:isabelle:1988,
+  author	= {Lawrence C. Paulson},
+  title		= {Isabelle: The Next Seven Hundred Theorem Provers},
+  booktitle	= {CADE},
+  year		= 1988,
+  pages		= {772--773},
+  crossref	= {lusk.ea:cade:1988}
+}
+
+@Proceedings{	  lusk.ea:cade:1988,
+  editor	= {Ewing L. Lusk and Ross A. Overbeek},
+  title		= {9th International Conference on Automated Deduction,
+		  Argonne, Illinois, USA, May 23-26, 1988, Proceedings},
+  booktitle	= {CADE},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 310,
+  year		= 1988,
+  isbn		= {3-540-19343-X}
+}
+
+@Article{	  ntafos:comparison:1988,
+  author	= {S. C. Ntafos},
+  title		= {A Comparison of Some Structural Testing Strategies},
+  journal	= j-ieee-tse,
+  volume	= 14,
+  number	= 6,
+  year		= 1988,
+  pdf		= {papers/1988/e0868.pdf},
+  issn		= {0098-5589},
+  pages		= {868--874},
+  doi		= {http://csdl.computer.org/comp/trans/ts/1988/06/e0868abs.htm}
+		  ,
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  abstract	= {Several structural testing strategies are compared in
+		  terms of their relative coverage of the program's structure
+		  and also in terms of the number of test cases needed to
+		  satisfy each strategy. Some of the deficiencies of such
+		  comparisons are discussed},
+  acknowledgement={none}
+}
+
+@InProceedings{	  lange.ea:flyspeck:2008,
+  author	= {Christoph Lange and Sean McLaughlin and Florian Rabe},
+  title		= {Flyspeck in a Semantic {Wiki}},
+  booktitle	= {SemWiki},
+  year		= 2008,
+  url		= {http://ceur-ws.org/Vol-360/paper-21.pdf},
+  crossref	= {lange.ea:semwiki:2008}
+}
+
+@Proceedings{	  lange.ea:semwiki:2008,
+  editor	= {Christoph Lange and Sebastian Schaffert and Hala
+		  Skaf-Molli and Max V{\"o}lkel},
+  title		= PROC # {the 3rd Semantic Wiki Workshop (SemWiki
+		  2008) at the 5th European Semantic Web Conference (ESWC
+		  2008), Tenerife, Spain, June 2nd, 2008},
+  booktitle	= {SemWiki},
+  publisher	= {CEUR-WS.org},
+  series	= {CEUR Workshop Proceedings},
+  volume	= 360,
+  year		= 2008
+}
+
+@Book{		  matouvsek.ea:invitation:2008,
+  author	= {Ji{\v}r{\'\i} Matou{\v}sek, and Jaroslav Ne{\v}set{\v}ril},
+  title		= {Invitation to discrete mathematics.},
+  language	= {English},
+  edition	= {2nd},
+  publisher	= pub-oxford,
+  address	= pub-oxford:adr,
+  pages		= 443,
+  year		= 2008,
+  isbn		= {978-0198570431},
+  abstract	= {This is the second edition of a delightful textbook, see
+		  [Invitation to discrete mathematics. (Oxford): Clarendon
+		  Press. (1998; Zbl 0901.05001)]. Besides the usual
+		  elimination of a few typos there are some additions, namely
+		  a chapter on partially ordered sets, a section on
+		  Tur\'{a}n's theorem on the number of edges in a
+		  triangle-free graph and a chapter on Ramsey's theorem.\par
+		  New to the second edition are also several proofs of the
+		  Cauchy-Schwarz inequality, a very attractive elegant new
+		  proof of Cayley's theorem on the number of labeled trees on
+		  $n$ vertices via PARTs (Plans of Assembly of a Rooted
+		  Tree), which the authors attribute to Jim Pitman, and
+		  another proof of the determinant formula for counting
+		  spanning trees of a given graph. The newly added geometric
+		  interpretation of the construction of the real projective
+		  plane is aided by the beautiful artistic rendering in the
+		  figure with the caption ``The real projective plane in
+		  moonlight''.},
+  keywords	= {discrete mathematics; problem solving; counting
+		  techniques; graph theory; trees; algorithms; planar graphs;
+		  Sperner's theorem; finite projective planes; probabilistic
+		  method; generating functions; partially ordered sets; Turan
+		  theorem; Ramsey theorem; Cauchy Schwartz inequality; Cayley
+		  theorem; geometric interpretation; real projective plane}
+}
+
+@Book{		  syme.ea:expert-f:2007,
+  author	= {Don Syme and Adam Granicz and Antonio Cisternino},
+  title		= {Expert F\# (Expert's Voice in {.Net})},
+  isbn		= 9781590598504,
+  publisher	= {Apress},
+  pages		= 609,
+  year		= 2007
+}
+
+@Book{		  baier.ea:principles:2008,
+  abstract	= {Our growing dependence on increasingly complex computer
+		  and software systems necessitates the development of
+		  formalisms, techniques, and tools for assessing functional
+		  properties of these systems. One such technique that has
+		  emerged in the last twenty years is model checking, which
+		  systematically (and automatically) checks whether a model
+		  of a given system satisfies a desired property such as
+		  deadlock freedom, invariants, or request-response
+		  properties. This automated technique for verification and
+		  debugging has developed into a mature and widely used
+		  approach with many applications. \_Principles of Model
+		  Checking\_ offers a comprehensive introduction to model
+		  checking that is not only a text suitable for classroom use
+		  but also a valuable reference for researchers and
+		  practitioners in the field.
+		  
+		  The book begins with the basic principles for modeling
+		  concurrent and communicating systems, introduces different
+		  classes of properties (including safety and liveness),
+		  presents the notion of fairness, and provides automata-
+		  based algorithms for these properties. It introduces the
+		  temporal logics LTL and CTL, compares them, and covers
+		  algorithms for verifying these logics, discussing real-time
+		  systems as well as systems subject to random phenomena.
+		  Separate chapters treat such efficiency-improving
+		  techniques as abstraction and symbolic manipulation. The
+		  book includes an extensive set of examples (most of which
+		  run through several chapters) and a complete set of basic
+		  results accompanied by detailed proofs. Each chapter
+		  concludes with a summary, bibliographic notes, and an
+		  extensive list of exercises of both practical and
+		  theoretical nature.},
+  author	= {Christel Baier and Joost-Pieter Katoen},
+  howpublished	= {Hardcover},
+  isbn		= {026202649X},
+  month		= may,
+  publisher	= pub-mit,
+  address	= pub-mit:adr,
+  title		= {Principles of Model Checking},
+  year		= 2008
+}
+
+@Book{		  bertot.ea:interactive:2004,
+  author	= {Yves Bertot and Pierre Cast{\'e}ran},
+  keywords	= {theorem-proving, type-theory, verification},
+  title		= {Interactive Theorem Proving and Program Development.
+		  Coq'Art: The Calculus of Inductive Constructions},
+  pages		= 500,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  isbn		= {978-3540208549},
+  year		= 2004,
+  abstract	= {Coq is an interactive proof assistant for the development
+		  of mathematical theories and formally certified software.
+		  It is based on a theory called the calculus of inductive
+		  constructions, a variant of type theory. This book provides
+		  a pragmatic introduction to the development of proofs and
+		  certified programs using Coq. With its large collection of
+		  examples and exercises it is an invaluable tool for
+		  researchers, students, and engineers interested in formal
+		  methods and the development of zero-fault software.}
+}
+
+@Article{	  korel:automated:1990,
+  author	= {Bogdan Korel},
+  title		= {Automated Software Test Data Generation},
+  journal	= j-ieee-tse,
+  volume	= 16,
+  number	= 8,
+  year		= 1990,
+  issn		= {0098-5589},
+  pages		= {870--879},
+  doi		= {10.1109/32.57624},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  acknowledgement={none},
+  bibkey	= {korel:automated:1990}
+}
+
+@Article{	  hamlet.ea:partition:1990,
+  author	= {Dick Hamlet and Ross Taylor},
+  title		= {Partition Testing Does Not Inspire Confidence (Program
+		  Testing)},
+  journal	= j-ieee-tse,
+  volume	= 16,
+  number	= 12,
+  year		= 1990,
+  issn		= {0098-5589},
+  pages		= {1402--1411},
+  doi		= {10.1109/32.62448},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  acknowledgement={none},
+  bibkey	= {hamlet.ea:partition:1990}
+}
+
+@TechReport{	  sharangpani.ea:statistical:1994,
+  language	= {USenglish},
+  author	= {H. P. Sharangpani and Ph. D. M. I. Barton },
+  title		= {Statistical Analysis of Floating Point Flaw in the
+		  Pentium$^{TM}$ Processor},
+  institution	= {Intel Corporation},
+  month		= nov,
+  year		= 1994,
+  keywords	= {pentium; flaw; FDIV; bug},
+  url		= {http://www.intel.com/support/processors/pentium/fdiv/wp/},
+  abstract	= {A subtle flaw in the hardware divide unit of the Pentium
+		  TM Processor was discovered by Intel. Subsequently, a
+		  characterization of its impact to the end-user application
+		  base was conducted. The flaw is rare and data-dependent,
+		  and causes a reduction in precision of the divide
+		  instruc-tion and certain other operations in certain cases.
+		  The significance of the flaw depends upon (a) the rate of
+		  use of specific FP instructions in the Pentium TM CPU, (b)
+		  the data fed to them, (c) the way in which the results of
+		  these instructions are propagated into further computation
+		  in the application; and (d) the way in which the final
+		  results of the application are interpreted. The thorough
+		  and detailed characterization of the flaw and the
+		  subsequent investigations of its impact on applications
+		  through elaborate surveys, analyses and empirical
+		  observation lead us to the overall conclusion that the flaw
+		  is of no concern to the vast majority of users of Pentium
+		  processor based systems. A few users of applications in the
+		  scientific/engineering and financial engineering fields who
+		  require unusual precision and invoke millions of divides
+		  per day may need t o employ either an updated Pen t ium
+		  processor without the flaw or a software workaround.},
+  acknowledgement={none},
+  bibkey	= {sharangpani.ea:statistical:1994}
+}
+
+@InProceedings{	  paulson:formulation:1988,
+  author	= {Lawrence C. Paulson},
+  title		= {A formulation of the simple theory of types (for
+		  Isabelle).},
+  booktitle	= {Conference on Computer Logic},
+  year		= 1988,
+  acknowledgement={none},
+  pages		= {246--274},
+  doi		= {10.1007/3-540-52335-9_58},
+  crossref	= {martin-lof.ea:international:1990}
+}
+
+@Proceedings{	  martin-lof.ea:international:1990,
+  editor	= {Per Martin-L{\"o}f and Grigori Mints},
+  title		= {International Conference on Computer Logic, Tallinn, USSR,
+		  December 1988, Proceedings},
+  booktitle	= {Conference on Computer Logic},
+  publisher	= pub-springer,
+  series	= lncs,
+  address	= pub-springer:adr,
+  acknowledgement={none},
+  volume	= 417,
+  year		= 1990,
+  isbn		= {3-540-52335-9}
+}
+
+@Article{	  bernot.ea:software:1991,
+  author	= {Gilles Bernot and Marie Claude Gaudel and Bruno Marre},
+  title		= {Software testing based on formal specifications: a theory
+		  and a tool},
+  journal	= {Softw. Eng. J.},
+  volume	= 6,
+  number	= 6,
+  year		= 1991,
+  issn		= {0268-6961},
+  pages		= {387--405},
+  publisher	= {Michael Faraday House},
+  address	= {Herts, UK, UK}
+}
+
+@Article{	  chadwick.ea:permis:2008,
+  author	= {David Chadwick and Gansen Zhao and Sassa Otenko and Romain
+		  Laborde and Linying Su and Tuan Anh Nguyen},
+  title		= {{PERMIS}: a modular authorization infrastructure},
+  journal	= {Concurrency and Computation: Practice \& Experience},
+  volume	= 20,
+  number	= 11,
+  year		= 2008,
+  issn		= {1532-0626},
+  pages		= {1341--1357},
+  doi		= {10.1002/cpe.v20:11},
+  publisher	= pub-wiley,
+  address	= pub-wiley:adr,
+  abstract	= {Authorization infrastructures manage privileges and render
+		  access control decisions, allowing applications to adjust
+		  their behavior according to the privileges allocated to
+		  users. This paper describes the PERMIS role-based
+		  authorization infrastructure along with its conceptual
+		  authorization, access control, and trust models. PERMIS has
+		  the novel concept of a credential validation service, which
+		  verifies a user's credentials prior to access control
+		  decision-making and enables the distributed management of
+		  credentials. PERMIS also supports delegation of authority;
+		  thus, credentials can be delegated between users, further
+		  decentralizing credential management. Finally, PERMIS
+		  supports history-based decision-making, which can be used
+		  to enforce such aspects as separation of duties and
+		  cumulative use of resources. Details of the design and the
+		  implementation of PERMIS are presented along with details
+		  of its integration with Globus Toolkit, Shibboleth, and
+		  GridShib. A comparison of PERMIS with other authorization
+		  and access control implementations is given, along with
+		  suggestions where future research and development are still
+		  needed.}
+}
+
+@Article{	  altenhofen.ea:asms:2008,
+  author	= {Michael Altenhofen and Andreas Friesen and Jens Lemcke},
+  title		= {{ASMs} in Service Oriented Architectures},
+  journal	= j-ucs,
+  volume	= 14,
+  number	= 12,
+  year		= 2008,
+  pages		= {2034--2058},
+  abstract	= {We give a survey on work we did in the past where we have
+		  successfully applied the ASM methodology to provide
+		  abstract models for a number of problem areas that are
+		  commonly found in Service Oriented Architectures (SOA). In
+		  particular, we summarize our work on (1) service behavior
+		  mediation, (2) service discovery, and (3) service
+		  composition, showing that the corresponding solutions can
+		  be described as variations of a fundamental abstract
+		  processing model{\^a}the Virtual Provider.},
+  keywords	= {process mediation, service discovery, workflow composition
+		  }
+}
+
+@Book{		  borger.ea:abstract:2003,
+  author	= {Egon B{\"o}rger and Robert F. St{\"a}rk},
+  title		= {Abstract State Machines: A Method for High-Level System
+		  Design and Analysis},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  isbn		= {3-540-00702-4},
+  abstract	= {This book introduces into a new software engineering
+		  method which guides the development of systems seamlessly
+		  from requirements capture to coding. The method bridges the
+		  gap between understanding and formulating real-world
+		  problems by humans and the deployment of their solutions by
+		  code-executing machines on changing platforms.It covers
+		  design and analysis for both hardware and software
+		  systems.It has a scientific foundation and improves current
+		  industrial practice by linking the descriptions at the
+		  successive stages of the system development cycle in a
+		  coherent conceptual framework to keep the system models at
+		  related levels synchronized.The method supports the
+		  integration of standard design, analysis and documentation
+		  techniques for model reuse (by abstraction), validation (by
+		  simulation and high-level testing), verification (by
+		  reasoning) and maintenance (by structured documentation).
+		  },
+  year		= 2003
+}
+
+@InProceedings{	  altenhofen.ea:concurrent:2009,
+  author	= {Michael Altenhofen and Egon B{\"o}rger},
+  title		= {Concurrent Abstract State Machines and {$^+\mathit{CAL}$}
+		  Programs},
+  pages		= {1--17},
+  doi		= {10.1007/978-3-642-03429-9_1},
+  abstract	= {We apply the ASM semantics framework to define the await
+		  construct in the context of concurrent ASMs. We link
+		  {$^+\mathit{CAL}$} to concurrent control state ASMs with
+		  turbo ASM submachines.},
+  booktitle	= {Recent Trends in Algebraic Development Techniques},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  year		= 2009
+}
+
+@Article{	  farahbod.ea:coreasm:2007,
+  author	= {Roozbeh Farahbod and Vincenzo Gervasi and Uwe Gl{\"a}sser},
+  title		= {{CoreASM}: An Extensible {ASM} Execution Engine},
+  journal	= {Fundamenta Informaticae},
+  publisher	= {IOS Press},
+  volume	= 77,
+  number	= {1-2},
+  year		= 2007,
+  issn		= {0169-2968},
+  pages		= {71--103},
+  ee		= {http://iospress.metapress.com/openurl.asp?genre=article{\&}issn=0169-2968{\&}volume=77{\&}issue=1{\&}spage=71}
+		  ,
+  abstract	= {In this paper we introduce a new research effort in making
+		  abstract state machines (ASMs) executable. The aim is to
+		  specify and implement an execution engine for a language
+		  that is as close as possible to the mathematical definition
+		  of pure ASMs. The paper presents the general architecture
+		  of the engine, together with a high-level description of
+		  the extensibility mechanisms that are used by the engine to
+		  accommodate arbitrary backgrounds, scheduling policies, and
+		  new rule forms.},
+  keywords	= {CoreASM, Abstract state machines, Specification languages,
+		  Executable specification}
+}
+
+@Article{	  knuth:literate:1984,
+  author	= {Donald E. Knuth},
+  title		= {Literate Programming},
+  journal	= {The Computer Journal},
+  volume	= 27,
+  number	= 2,
+  year		= 1984,
+  pages		= {97--111},
+  doi		= {10.1093/comjnl/27.2.97},
+  publisher	= {Oxford University Press},
+  address	= {Oxford, UK},
+  issn		= {0010-4620},
+  abstract	= {The author and his associates have been experimenting for
+		  the past several years with a programming language and
+		  documentation system called WEB. This paper presents WEB by
+		  example, and discusses why the new system appears to be an
+		  improvement over previous ones.}
+}
+
+@Article{	  forgy:rete:1982,
+  author	= {Charles L. Forgy},
+  title		= {Rete: A Fast Algorithm for the Many Patterns/Many Objects
+		  Match Problem},
+  journal	= {Artificial Intelligence},
+  volume	= 19,
+  number	= 1,
+  year		= 1982,
+  pages		= {17--37},
+  issn		= {0004-3702},
+  abstract	= {The Rete Match Algorithm is an efficient method for
+		  comparing a large collection of patterns to a large
+		  collection of objects. It finds all the objects that match
+		  each pattern. The algorithm was developed for use in
+		  production system interpreters, and it has been used for
+		  systems containing from a few hundred to more than a
+		  thousand patterns and objects. This article presents the
+		  algorithm in detail. It explains the basic concepts of the
+		  algorithm, it describes pattern and object representations
+		  that are appropriate for the algorithm, and it describes
+		  the operations performed by the pattern matcher. },
+  doi		= {10.1016/0004-3702(82)90020-0}
+}
+
+@InProceedings{	  burrows:chubby:2006,
+  author	= {Mike Burrows},
+  title		= {The Chubby lock service for loosely-coupled distributed
+		  systems},
+  booktitle	= {OSDI '06: Proceedings of the 7th symposium on Operating
+		  systems design and implementation},
+  year		= 2006,
+  isbn		= {1-931971-47-1},
+  pages		= {335--350},
+  publisher	= {\acs{usenix} Association},
+  location	= {Seattle, Washington},
+  address	= {Berkeley, CA, USA},
+  abstract	= {We describe our experiences with the Chubby lock service,
+		  which is intended to provide coarse-grained locking as well
+		  as reliable (though low-volume) storage for a
+		  loosely-coupled distributed system. Chubby provides an
+		  interface much like a distributed file system with advisory
+		  locks, but the design emphasis is on availability and
+		  reliability, as opposed to high performance. Many instances
+		  of the service have been used for over a year, with several
+		  of them each handling a few tens of thousands of clients
+		  concurrently. The paper describes the initial design and
+		  expected use, compares it with actual use, and explains how
+		  the design had to be modified to accommodate the
+		  differences.}
+}
+
+@InProceedings{	  mccarthy.ea:architecture:1989,
+  author	= {Dennis McCarthy and Umeshwar Dayal},
+  title		= {The architecture of an active database management system},
+  booktitle	= {SIGMOD '89: Proceedings of the 1989 ACM SIGMOD
+		  international conference on Management of data},
+  year		= 1989,
+  isbn		= {0-89791-317-5},
+  pages		= {215--224},
+  location	= {Portland, Oregon, United States},
+  doi		= {10.1145/67544.66946},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {he HiPAC project is investigating active, time-constrained
+		  database management. An active DBMS is one which
+		  automatically executes specified actions when specified
+		  conditions arise. HiPAC has proposed Event-Condition-Action
+		  (ECA) rules as a formalism for active database
+		  capabilities. We have also developed an execution model
+		  that specifies how these rules are processed in the context
+		  of database transactions. The additional functionality
+		  provided by ECA rules makes new demands on the design of an
+		  active DBMS. In this paper we propose an architecture for
+		  an active DBMS that supports ECA rules. This architecture
+		  provides new forms of interaction, in support of ECA rules,
+		  between application programs and the DBMS. This leads to a
+		  new paradigm for constructing database applications.}
+}
+
+@InProceedings{	  carioni.ea:scenario-based:2008,
+  author	= {Alessandro Carioni and Angelo Gargantini and Elvinia
+		  Riccobene and Patrizia Scandurra},
+  title		= {A Scenario-Based Validation Language for {ASMs}},
+  booktitle	= {ABZ},
+  year		= 2008,
+  pages		= {71--84},
+  doi		= {10.1007/978-3-540-87603-8_7},
+  abstract	= {This paper presents the AValLa language, a domain-specific
+		  modelling language for scenario-based validation of ASM
+		  models, and its supporting tool, the AsmetaV validator.
+		  They have been developed according to the model-driven
+		  development principles as part of the asmeta (ASM
+		  mETAmodelling) toolset, a set of tools around ASMs. As a
+		  proof-of-concepts, the paper reports the results of the
+		  scenario-based validation for the well-known LIFT control
+		  case study.},
+  crossref	= {borger.ea:abstract:2008}
+}
+
+@Proceedings{	  borger.ea:abstract:2008,
+  editor	= {Egon B{\"o}rger and Michael J. Butler and Jonathan P.
+		  Bowen and Paul Boca},
+  title		= {Abstract State Machines, B and Z, First International
+		  Conference, ABZ 2008, London, UK, September 16-18, 2008.
+		  Proceedings},
+  booktitle	= {ABZ},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5238,
+  year		= 2008,
+  isbn		= {978-3-540-87602-1}
+}
+
+@Article{	  decandia.ea:dynamo:2007,
+  author	= {Giuseppe DeCandia and Deniz Hastorun and Madan Jampani and
+		  Gunavardhan Kakulapati and Avinash Lakshman and Alex
+		  Pilchin and Swaminathan Sivasubramanian and Peter Vosshall
+		  and Werner Vogels},
+  title		= {{Dynamo}: {Amazon's} highly available key-value store},
+  journal	= {ACM SIGOPS Operating Systems Review},
+  volume	= 41,
+  number	= 6,
+  year		= 2007,
+  issn		= {0163-5980},
+  pages		= {205--220},
+  doi		= {10.1145/1323293.1294281},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Reliability at massive scale is one of the biggest
+		  challenges we face at Amazon.com, one of the largest
+		  e-commerce operations in the world; even the slightest
+		  outage has significant financial consequences and impacts
+		  customer trust. The Amazon.com platform, which provides
+		  services for many web sites worldwide, is implemented on
+		  top of an infrastructure of tens of thousands of servers
+		  and network components located in many datacenters around
+		  the world. At this scale, small and large components fail
+		  continuously and the way persistent state is managed in the
+		  face of these failures drives the reliability and
+		  scalability of the software systems.
+		  
+		  This paper presents the design and implementation of
+		  Dynamo, a highly available key-value storage system that
+		  some of Amazon's core services use to provide an
+		  "always-on" experience. To achieve this level of
+		  availability, Dynamo sacrifices consistency under certain
+		  failure scenarios. It makes extensive use of object
+		  versioning and application-assisted conflict resolution in
+		  a manner that provides a novel interface for developers to
+		  use.}
+}
+
+@InProceedings{	  crampton.ea:secondary:2006,
+  author	= {Jason Crampton and Wing Leung and Konstantin Beznosov},
+  title		= {The secondary and approximate authorization model and its
+		  application to {Bell-LaPadula} policies},
+  booktitle	= {SACMAT '06: Proceedings of the eleventh ACM symposium on
+		  Access control models and technologies},
+  year		= 2006,
+  isbn		= {1-59593-353-0},
+  pages		= {111--120},
+  location	= {Lake Tahoe, California, USA},
+  doi		= {10.1145/1133058.1133075},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {We introduce the concept, model, and policy-specific
+		  algorithms for inferring new access control decisions from
+		  previous ones. Our secondary and approximate authorization
+		  model (SAAM) defines the notions of primary vs. secondary
+		  and precise vs. approximate authorizations. Approximate
+		  authorization responses are inferred from cached primary
+		  responses, and therefore provide an alternative source of
+		  access control decisions in the event that the
+		  authorization server is unavailable or slow. The ability to
+		  compute approximate authorizations improves the reliability
+		  and performance of access control sub-systems and
+		  ultimately the application systems themselves.The operation
+		  of a system that employs SAAM depends on the type of access
+		  control policy it implements. We propose and analyze
+		  algorithms for computing secondary authorizations in the
+		  case of policies based on the Bell-LaPadula model. In this
+		  context, we define a dominance graph, and describe its
+		  construction and usage for generating secondary responses
+		  to authorization requests. Preliminary results of
+		  evaluating SAAM BLP algorithms demonstrate a 30\% increase
+		  in the number of authorization requests that can be served
+		  without consulting access control policies.}
+}
+
+@InProceedings{	  turkmen.ea:performance:2008,
+  author	= {Fatih Turkmen and Bruno Crispo},
+  title		= {Performance evaluation of {XACML} {PDP} implementations},
+  booktitle	= {SWS '08: Proceedings of the 2008 ACM workshop on Secure
+		  web services},
+  year		= 2008,
+  isbn		= {978-1-60558-292-4},
+  pages		= {37--44},
+  location	= {Alexandria, Virginia, USA},
+  doi		= {10.1145/1456492.1456499},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {eXtensible Access Control Markup Language (XACML), an
+		  OASIS standard, is the most widely used policy specifica-
+		  tion language for access control. Its simplicity in syntax
+		  and strength in coverage makes it suitable for diverse en-
+		  vironments such as Service Oriented Architectures (SOAs)
+		  and P2P systems. There are different implementations of
+		  XACML available. Some of these implementations are open
+		  source and some others are proprietary. In this work we
+		  intended to shed some lights to the performance issues of
+		  XACML engines. We tested 3 open source XACML
+		  implementations with different policy/request settings. Our
+		  experiments revealed some important points to be taken into
+		  consideration when deploying an XACML based access control
+		  system. Besides, our results can be used as hints by policy
+		  writers and system developers for deploying efficient
+		  authorization services.}
+}
+
+@InProceedings{	  chen.ea:constraint:2006,
+  author	= {Hong Chen and Ninghui Li},
+  title		= {Constraint generation for separation of duty},
+  booktitle	= {SACMAT '06: Proceedings of the eleventh ACM symposium on
+		  Access control models and technologies},
+  year		= 2006,
+  isbn		= {1-59593-353-0},
+  pages		= {130--138},
+  location	= {Lake Tahoe, California, USA},
+  doi		= {10.1145/1133058.1133077},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Separation of Duty (SoD) is widely recognized to be a
+		  fundamental principle in computer security. A Static SoD
+		  (SSoD) policy states that in order to have all permissions
+		  necessary to complete a sensitive task, the cooperation of
+		  at least a certain number of users is required. In
+		  Role-Based Access Control (RBAC), Statically Mutually
+		  Exclusive Role (SMER) constraints are used to enforce SSoD
+		  policies. This paper studies the problem of generating sets
+		  of constraints that (a) enforce a set of SSoD policies, (b)
+		  are compatible with the existing role hierarchy, and (c)
+		  are minimal in the sense that there is no other constraint
+		  set that is less restrictive and satisfies (a) and (b).}
+}
+
+@InProceedings{	  schaad.ea:case:2005,
+  author	= {Andreas Schaad and Pascal Spadone and Helmut Weichsel},
+  title		= {A case study of separation of duty properties in the
+		  context of the Austrian {``eLaw''} process.},
+  booktitle	= {SAC '05: Proceedings of the 2005 ACM symposium on Applied
+		  computing},
+  year		= 2005,
+  isbn		= {1-58113-964-0},
+  pages		= {1328--1332},
+  location	= {Santa Fe, New Mexico},
+  doi		= {10.1145/1066677.1066976},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Over the last few years rapid progress has been made in
+		  moving from conceptual studies, "whitepapers" and
+		  initiatives to the actual deployment of e-Government
+		  systems [13]. In this paper we present the case study of an
+		  existing e-Government system (eLaw) which already supports
+		  key legislative processes in the country of Austria1. The
+		  study has been performed in the context of the EU FP6
+		  project "eJustice".We present a detailed system and
+		  workflow representation referring to the example process of
+		  changing a federal law in Austria. Since such processes and
+		  their results, i.e. the laws of a country, have an enormous
+		  impact on society, they need to be secured against external
+		  and internal alteration, be it inadvertent or malicious.
+		  This is even more important in the electronic world.Instead
+		  of discussing the obvious security requirements like virus
+		  protection or network-level access control, our focus is on
+		  an often neglected form of organisational security and
+		  control properties called separation of duties. We will
+		  analyse and discuss a set of these in terms of the
+		  described eLaw process.}
+}
+
+@InProceedings{	  evered.ea:case:2004,
+  author	= {Mark Evered and Serge B{\"o}geholz},
+  title		= {A case study in access control requirements for a Health
+		  Information System},
+  booktitle	= {ACSW Frontiers '04: Proceedings of the second workshop on
+		  Australasian information security, Data Mining and Web
+		  Intelligence, and Software Internationalisation},
+  year		= 2004,
+  pages		= {53--61},
+  location	= {Dunedin, New Zealand},
+  publisher	= {Australian Computer Society, Inc.},
+  address	= {Darlinghurst, Australia, Australia},
+  abstract	= {We present a detailed examination of the access
+		  constraints for a small real-world Health Information
+		  System with the aim of achieving minimal access rights for
+		  each of the involved principals. We show that, even for
+		  such a relatively simple system, the resulting constraints
+		  are very complex and cannot be expressed easily or clearly
+		  using the static per-method access control lists generally
+		  supported by component-based software. We derive general
+		  requirements for the expressiveness of access constraints
+		  and propose criteria for a more suitable access control
+		  mechanism in the context of component-based systems. We
+		  describe a two-level mechanism which can fulfil these
+		  criteria.}
+}
+
+@Article{	  kapsalis.ea:dynamic:2006,
+  title		= {A dynamic context-aware access control architecture for
+		  e-services},
+  journal	= {Computers \& Security},
+  volume	= 25,
+  number	= 7,
+  pages		= {507--521},
+  year		= 2006,
+  issn		= {0167-4048},
+  doi		= {10.1016/j.cose.2006.05.004},
+  author	= {Vassilis Kapsalis and Loukas Hadellis and Dimitris Karelis
+		  and Stavros Koubias},
+  keywords	= {e-Services, Access control, Web services, Context-aware,
+		  Authorization, UML},
+  abstract	= { The universal adoption of the Internet and the emerging
+		  web services technologies constitutes the infrastructure
+		  that enables the provision of a new generation of
+		  e-services and applications. However, the provision of
+		  e-services through the Internet imposes increased risks,
+		  since it exposes data and sensitive information outside the
+		  client premises. Thus, an advanced security mechanism has
+		  to be incorporated, in order to protect this information
+		  against unauthorized access. In this paper, we present a
+		  context-aware access control architecture, in order to
+		  support fine-grained authorizations for the provision of
+		  e-services, based on an end-to-end web services
+		  infrastructure. Access permissions to distributed web
+		  services are controlled through an intermediary server, in
+		  a completely transparent way to both clients and protected
+		  resources. The access control mechanism is based on a
+		  Role-Based Access Control (RBAC) model, which incorporates
+		  dynamic context information, in the form of context
+		  constraints. Context is dynamically updated and provides a
+		  high level of abstraction of the physical environment by
+		  using the concepts of simple and composite context
+		  conditions. Also, the paper deals with implementation
+		  issues and presents a system that incorporates the proposed
+		  access control mechanism in a web services infrastructure
+		  that conform to the OPC XML-DA specification.}
+}
+
+@InProceedings{	  anderson:comparison:2006,
+  author	= {Anne H. Anderson},
+  title		= {A comparison of two privacy policy languages: {EPAL} and
+		  {XACML}},
+  booktitle	= {SWS '06: Proceedings of the 3rd ACM workshop on Secure web
+		  services},
+  year		= 2006,
+  isbn		= {1-59593-546-0},
+  pages		= {53--60},
+  location	= {Alexandria, Virginia, USA},
+  doi		= {10.1145/1180367.1180378},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {Current regulatory requirements in the U.S. and other
+		  countries make it increasingly important for Web Services
+		  to be able to enforce and verify their compliance with
+		  privacy policies. Structured policy languages can play a
+		  major role by supporting automated enforcement of policies
+		  and auditing of access decisions. This paper compares two
+		  policy languages that have been developed for use in
+		  expressing directly enforceable privacy policies -- the
+		  Enterprise Privacy Authorization Language (EPAL) and the
+		  OASIS Standard eXtensible Access Control Markup Language
+		  (XACML), together with its standard privacy profile.}
+}
+
+@Book{		  rankl.ea:smart-card:2003,
+  author	= {Wolfgang Rankl and Wolfgang Effing},
+  title		= {Smart Card Handbook},
+  year		= 2003,
+  isbn		= 9780470856680,
+  doi		= {10.1002/047085670X},
+  publisher	= pub-wiley,
+  address	= pub-wiley:adr,
+  abstract	= {The boom in smart card technology reflects the medium's
+		  broad solutions potential. Embedded with a sophisticated
+		  microprocessor, smart cards offer unparalleled memory
+		  capacity and data encryption capability. From providing
+		  secure access to the Internet and mobile radio networks to
+		  performing security-sensitive financial transactions in
+		  credit card schemes, the Electronic Purse and Pay TV
+		  systems, smart card technology is now a multi-billion
+		  dollar industry. The Smart Card Handbook presents a
+		  state-of-the-art overview of the technology from
+		  fundamental information processing through design,
+		  manufacture and operation of smart card schemes. Written in
+		  a highly accessible style the Smart Card Handbook meets the
+		  needs of both novice and expert. This is an essential
+		  reference for computer and electronics engineers and
+		  students in microchip design and security system
+		  development. For professionals developing smart card
+		  products, this unique reference will provide an invaluable
+		  insight to all the facets of this sophisticated
+		  technology.}
+}
+
+@Book{		  graham.ea:concrete:1989,
+  title		= {Concrete Mathematics},
+  author	= {Roland L. Graham and Donald E. Knuth and Oren Patashnik},
+  isbn		= {0-201-14236-8},
+  publisher	= pub-aw,
+  address	= pub-aw:adr,
+  pages		= 578,
+  year		= 1989
+}
+
+@Manual{	  iso:ansi-cpp:1998,
+  bibkey	= {iso:ansi-cpp:1998},
+  abstract	= {Specifies requirements for implementations of the C++
+		  programming language. This International Standard also
+		  defines C++. Other requirements and relaxations of the
+		  first requirement appear at various places within this
+		  standard.},
+  note		= {Doc. No. ISO/IEC 14882-1998},
+  title		= {International Standard: Programming languages -C++ },
+  organization	= {ANSI/ISO},
+  year		= 1998,
+  month		= sep,
+  publisher	= {The American National Standards Institute},
+  address	= {New York}
+}
+
+@Book{		  reid:thinking:1990,
+  abstract	= {The book is a result of Glenn Reid's years trying to teach
+		  people to write PostScript programs, during which he
+		  discovered that people tended to try to make PostScript
+		  "look like" other programming languages they already knew.
+		  There is even a chapter in this book entitled "PostScript
+		  Is Not Like C", because it is really a very different
+		  language, and one must learn to "think" in PostScript in
+		  order to be a good programmer. },
+  author	= {Glenn C. Reid},
+  title		= {Thinking in Postscript},
+  publisher	= pub-aw,
+  address	= pub-aw:adr,
+  month		= sep,
+  year		= 1990,
+  language	= {USenglish},
+  keywords	= {Postscript},
+  public	= {yes},
+  isbn		= {0-201-52372-8},
+  url		= {http://www.rightbrain.com/download/books/ThinkingInPostScript.pdf}
+		  
+}
+
+@Book{		  knuth:seminumerical:1981,
+  author	= {Donald E. Knuth},
+  series	= {The Art of Computer Programming},
+  volume	= 2,
+  title		= {Seminumerical Algorithms},
+  edition	= {second},
+  isbn		= {0-201-03822-6},
+  year		= 1981,
+  publisher	= pub-aw,
+  address	= pub-aw:adr
+}
+
+@Book{		  wegener:complexity:1987,
+  address	= {Stuttgart},
+  author	= {Ingo Wegener},
+  language	= {USenglish},
+  public	= {yes},
+  publisher	= {John Wiley \& Sons Ltd., and B.G. Teubner},
+  title		= {The Complexity of Boolean Functions},
+  url		= {\url{http://ls2-www.informatik.uni-dortmund.de/monographs/bluebook/}}
+		  ,
+  year		= 1987,
+  cover		= {1987/wegener:complexity:1987.png},
+  timestamp	= 948019205
+}
+
+@Article{	  stallman:societal:1997,
+  author	= {Richard Stallman},
+  title		= {Societal Dimensions: The Right to Read},
+  journal	= j-cacm,
+  volume	= 40,
+  number	= 2,
+  pages		= {85--87},
+  month		= feb,
+  year		= 1997,
+  coden		= {CACMA2},
+  issn		= {0001-0782},
+  url		= {http://www.acm.org/pubs/citations/journals/cacm/1997-40-2/p85-stallman/}
+		  ,
+  localurl	= {papers/1997/p85-stallman.pdf},
+  note		= {\url{http://www.gnu.org/}},
+  acknowledgement=ack-nhfb,
+  classification= {C0230 (Economic, social and political aspects of
+		  computing); C0310D (Computer installation management)},
+  keywords	= {Clinton administration; Clipper chip; computer crime;
+		  design; industrial property; key-escrow proposals; legal
+		  aspects; management; pirates; right to read; security;
+		  Software Protection Authority; Software Publisher's
+		  Association},
+  subject	= {{\bf K.1} Computing Milieux, THE COMPUTER INDUSTRY. {\bf
+		  K.5.0} Computing Milieux, LEGAL ASPECTS OF COMPUTING,
+		  General. {\bf K.4.0} Computing Milieux, COMPUTERS AND
+		  SOCIETY, General.},
+  treatment	= {G General Review}
+}
+
+@Article{	  stallman:societal:1997-b,
+  author	= {Richard Stallman},
+  title		= {Societal Dimensions: The Right to Read},
+  journal	= j-cacm,
+  volume	= 40,
+  number	= 2,
+  pages		= {85--87},
+  month		= feb,
+  year		= 1997,
+  issn		= {0001-0782},
+  classification= {C0230 (Economic, social and political aspects of
+		  computing); C0310D (Computer installation management)},
+  keywords	= {Clinton administration; Clipper chip; computer crime;
+		  design; industrial property; key-escrow proposals; legal
+		  aspects; management; pirates; right to read; security;
+		  Software Protection Authority; Software Publisher's
+		  Association},
+  subject	= {{\bf K.1} Computing Milieux, THE COMPUTER INDUSTRY. {\bf
+		  K.5.0} Computing Milieux, LEGAL ASPECTS OF COMPUTING,
+		  General. {\bf K.4.0} Computing Milieux, COMPUTERS AND
+		  SOCIETY, General.},
+  treatment	= {G General Review}
+}
+
+@Article{	  dalton.ea:securing:2001,
+  bibkey	= {dalton.ea:securing:2001},
+  author	= {Chris Dalton and Tse Huong Choo},
+  title		= {An operating system approach to securing e--services},
+  journal	= j-cacm,
+  volume	= 44,
+  number	= 2,
+  pages		= {58--64},
+  month		= feb,
+  abstract	= {This article looks at some of the problems surrounding
+		  application compromise in more detail and puts forward our
+		  approach to solving these problems. We do not attempt to
+		  guarantee that the application services are bug-free (a
+		  difficult problem). Instead, we have found that the effects
+		  of this type of attack, and quite a few others, can be
+		  usefully mitigated by adding specific properties to the OSs
+		  used to host those applications.
+		  
+		  Specifically, we look at Trusted Linux, HP Laboratories'
+		  implementation of a secure version of Linux, which we
+		  believe is an ideal platform for e-service application
+		  hosting.},
+  year		= 2001,
+  issn		= {0001-0782}
+}
+
+@Article{	  cornea-hasegan:proving:1998,
+  language	= {USenglish},
+  abstract	= {The work presented in this paper was initiated as part of
+		  a study on software alternatives to the hardware
+		  implementations of floating-point operations such as divide
+		  and square root. The results of the study proved the
+		  viability of software implementations, and showed that
+		  certain proposed algorithms are comparable in performance
+		  to current hardware implementations. This paper discusses
+		  two components of that study:
+		  
+		  (1) A methodology for proving the IEEE correctness of the
+		  result of iterative algorithms that implement the
+		  floating-point square root, divide, or remainder operation.
+		  (2) Identification of operands for the floating-point
+		  divide and square root operations that lead to results
+		  representing difficult cases for IEEE rounding.
+		  
+		  Some general properties of floating-point computations are
+		  presented first. The IEEE correctness of the floating-point
+		  square root operation is discussed next. We show how
+		  operands for the floating-point square root that lead to
+		  difficult cases for rounding can be generated, and how to
+		  use this knowledge in proving the IEEE correctness of the
+		  result of iterative algorithms that calculate the square
+		  root of a floating-point number. Similar aspects are
+		  analyzed for the floating-point divide operation, and we
+		  present a method for generating difficult cases for
+		  rounding. In the case of the floating-point divide
+		  operation, however, it is more difficult to use this
+		  information in proving the IEEE correctness of the result
+		  of an iterative algorithm than it is for the floating-point
+		  square root operation. We examine the restrictions on the
+		  method used for square root. Finally, we present possible
+		  limitations due to the finite exponent range.},
+  journal	= {Intel Technology Journal},
+  volume	= {Q2},
+  year		= 1998,
+  title		= {Proving the {IEEE} Correctness of Iterative Floating-Point
+		  Square Root, Divide, and Remainder Algorithms },
+  author	= {Marius Cornea-Hasegan},
+  keywords	= {floating-point, IEEE correctness, divide, square root,
+		  remainder},
+  url		= {\url{http://developer.intel.com/technology/itj/q21998/articles/art_3.htm}}
+		  
+}
+
+@Article{	  edelman:mathematics:1997,
+  author	= {Alan Edelman},
+  abstract	= {Despite all of the publicity surrounding the Pentium bug
+		  of 1994, the mathematical details of the bug are poorly
+		  understood. We discuss these details and supply a new proof
+		  of the Coe--Tang result that the at-risk divisors have six
+		  consecutive ones in positions 5 through 10. Also, we prove
+		  that the worst-case absolute error for arguments in [1,2)
+		  is on the order of 1e--5. },
+  journal	= {SIAM},
+  title		= {The Mathematics of the Pentium Division Bug},
+  keywords	= {Pentium, SRT division, floating point operations },
+  year		= 1997,
+  url		= {\url{http://epubs.siam.org/sam-bin/dbq/article/29395}},
+  pages		= {54--67},
+  volume	= 39,
+  number	= 1,
+  public	= {yes}
+}
+
+@Article{	  oleary.ea:formally:1999,
+  language	= {USenglish},
+  abstract	= {This paper describes the formal specification and
+		  verification of floating-point arithmetic hardware at the
+		  level of IEEE Standard 754. Floating-point correctness is a
+		  crucial problem: the functionality of Intel's
+		  floating-point hardware is architecturally visible and,
+		  once discovered, floating-point bugs are easily reproduced
+		  by the consumer. We have formally specified and verified
+		  IEEE-compliance of the Pentium{\textregistered} Pro
+		  processor's FADD, FSUB, FMUL, FDIV, FSQRT, and FPREM
+		  operations, as well as the correctness of various
+		  miscellaneous operations including conversion to and from
+		  integers. Compliance was verified against the gate-level
+		  descriptions from which the actual silicon is derived and
+		  on which all traditional pre-silicon dynamic validation is
+		  performed. Our results demonstrate that formal functional
+		  verification of gate-level floating-point designs against
+		  IEEE-level specifications is both feasible and practical.
+		  As far as the authors are aware, this is the first such
+		  demonstration. },
+  journal	= {Intel Technology Journal},
+  volume	= {Q1},
+  year		= 1999,
+  title		= {Formally Verifying {IEEE} Compliance of Floating-Point
+		  Hardware},
+  author	= {John O'Leary and Xudong Zhao and Rob Gerth and Carl-Johan
+		  H. Seger},
+  url		= {\url{http://developer.intel.com/technology/itj/q11999/articles/art_5.htm}}
+		  ,
+  keywords	= {verification; pentium; FDIV bug; flaw;
+		  floating-point-hardware; floating-point; IEEE compliance;
+		  formal verification; model checking; theorem proving }
+}
+
+@Article{	  neubauer:feinheiten:1996,
+  author	= {Marion Neubauer},
+  title		= {Feinheiten bei wissenschaftlichen {P}ublikationen --
+		  {M}ikrotypographie-{R}egeln, {T}eil {I}},
+  journal	= dtk,
+  year		= 1996,
+  volume	= {4/96},
+  altvolume	= 8,
+  altnumber	= 4,
+  month		= feb,
+  pages		= {23--40},
+  annote	= bretter,
+  localurl	= {papers/1996/dtk96_4_neubauer_feinheiten.pdf},
+  url		= {\url{http://www.dante.de/dante/DTK/}},
+  keywords	= {Mikrotypographie, Abk{\"u}rzungen, Akronyme, Einheiten,
+		  Himmelsrichtungen, Anf{\"u}hrungszeichen, Satzzeichen,
+		  Auslassungen, Sonderzeichen, email-Adressen, Ligaturen}
+}
+
+@Article{	  neubauer:feinheiten:1997,
+  author	= {Marion Neubauer},
+  title		= {Feinheiten bei wissenschaftlichen {P}ublikationen --
+		  {M}ikrotypographie-{R}egeln, {T}eil {II}},
+  journal	= dtk,
+  year		= 1997,
+  volume	= {1/97},
+  altvolume	= 9,
+  altnumber	= 1,
+  month		= may,
+  pages		= {25--44},
+  url		= {\url{http://www.dante.de/dante/DTK/}},
+  localurl	= {papers/1997/dtk97_1_neubauer_feinheiten.pdf},
+  annote	= bretter,
+  keywords	= {Mikrotypographie, Zahlen, Ziffern, Nummern, Striche,
+		  Klammern, geschachtelte Klammern, Wortzwischenr{\"a}ume,
+		  Abst{\"a}nde, mathematischer Satz, Worttennungen,
+		  Zeilenumbruch}
+}
+
+@Article{	  szpiro:mathematics:2003,
+  author	= {George Szpiro},
+  url		= {http://www.nature.com/cgi-taf/DynaPage.taf?file=/nature/journal/v424/n6944/full/424012a_fs.html}
+		  ,
+  journal	= {Nature},
+  pages		= {12--13},
+  month		= jul,
+  year		= 2003,
+  number	= 424,
+  title		= {Mathematics: Does the proof stack up?},
+  acknowledgement={none},
+  bibkey	= {szpiro:mathematics:2003}
+}
+
+@Article{	  venet:practical:2008,
+  author	= {Arnaud Venet},
+  title		= {A practical approach to formal software verification by
+		  static analysis},
+  journal	= {Ada Lett.},
+  volume	= {XXVIII},
+  number	= 1,
+  year		= 2008,
+  issn		= {1094-3641},
+  pages		= {92--95},
+  doi		= {10.1145/1387830.1387836},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {Static analysis by Abstract Interpretation is a promising
+		  way for conducting formal verification of large software
+		  applications. In spite of recent successes in the
+		  verification of aerospace codes, this approach has limited
+		  industrial applicability due to the level of expertise
+		  required to engineer static analyzers. In this paper we
+		  investigate a pragmatic approach that consists of focusing
+		  on the most critical components of the application first.
+		  In this approach the user provides a description of the
+		  usage of functionalities in the critical component via a
+		  simple specification language, which is used to drive a
+		  fully automated static analysis engine. We present
+		  experimental results of the application of this approach to
+		  the verification of absence of buffer overflows in a
+		  critical library of the OpenSSH distribution.}
+}
+
+@InProceedings{	  balser.ea:formal:2000,
+  author	= {Michael Balser and Wolfgang Reif and Gerhard Schellhorn
+		  and Kurt Stenzel and Andreas Thums},
+  title		= {Formal System Development with {KIV}},
+  booktitle	= {FASE},
+  year		= 2000,
+  pages		= {363--366},
+  doi		= {10.1007/3-540-46428-X_25},
+  crossref	= {maibaum:fundamental:2000},
+  abstract	= {KIV is a tool for formal systems development. It can be
+		  employed, e.g., 1) for the development of safety critical
+		  systems from formal requirements specifications to
+		  executable code, including the verification of safety
+		  requirements and the correctness of implementations, 2) for
+		  semantical foundations of programming languages from a
+		  specification of the semantics to a verified compiler, 3)
+		  for building security models and architectural models as
+		  they are needed for high level ITSEC [7] or CC [1]
+		  evaluations. }
+}
+
+@Proceedings{	  maibaum:fundamental:2000,
+  editor	= {T. S. E. Maibaum},
+  title		= {Fundamental Approaches to Software Engineering, Third
+		  Internationsl Conference, FASE 2000, Held as Part of the
+		  European Joint Conferences on the Theory and Practice of
+		  Software, ETAPS 2000, Berlin, Germany, March 25 - April 2,
+		  2000, Proceedings},
+  booktitle	= {FASE},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1783,
+  year		= 2000,
+  isbn		= {3-540-67261-3}
+}
+
+@InProceedings{	  castillo:asm:2001,
+  author	= {Giuseppe Del Castillo},
+  title		= {The {ASM} Workbench: A Tool Environment for Computer-Aided
+		  Analysis and Validation of Abstract State Machine Models
+		  Tool Demonstration},
+  booktitle	= {TACAS},
+  year		= 2001,
+  pages		= {578--581},
+  doi		= {10.1007/3-540-45319-9_40},
+  abstract	= {Gurevich{\^a}s Abstract State Machines (ASMs) constitute a
+		  high-level state-based modelling language, which has been
+		  used in a wide range of applications. The ASM Workbench is
+		  a comprehensive tool environment supporting the development
+		  and computer-aided analysis and validation of ASM models.
+		  It is based on a typed version of the ASM language, called
+		  ASM-SL, and includes features for type-checking,
+		  simulation, debugging, and verification of ASM models.},
+  crossref	= {margaria.ea:tools:2001}
+}
+
+@Proceedings{	  margaria.ea:tools:2001,
+  editor	= {Tiziana Margaria and Wang Yi},
+  title		= {Tools and Algorithms for the Construction and Analysis of
+		  Systems, 7th International Conference, TACAS 2001 Held as
+		  Part of the Joint European Conferences on Theory and
+		  Practice of Software, ETAPS 2001 Genova, Italy, April 2-6,
+		  2001, Proceedings},
+  booktitle	= {TACAS},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2031,
+  year		= 2001,
+  isbn		= {3-540-41865-2}
+}
+
+@Article{	  gurevich.ea:semantic:2005,
+  title		= {Semantic essence of {AsmL}},
+  journal	= {Theoretical Computer Science},
+  volume	= 343,
+  number	= 3,
+  pages		= {370--412},
+  year		= 2005,
+  note		= {Formal Methods for Components and Objects},
+  issn		= {0304-3975},
+  doi		= {10.1016/j.tcs.2005.06.017},
+  author	= {Yuri Gurevich and Benjamin Rossman and Wolfram Schulte},
+  keywords	= {Abstract state machine,Executable specification language},
+  abstract	= { The Abstract State Machine Language, AsmL, is a novel
+		  executable specification language based on the theory of
+		  Abstract State Machines. AsmL is object-oriented, provides
+		  high-level mathematical data-structures, and is built
+		  around the notion of synchronous updates and finite choice.
+		  AsmL is fully integrated into the .NET framework and
+		  Microsoft development tools. In this paper, we explain the
+		  design rationale of AsmL and provide static and dynamic
+		  semantics for a kernel of the language.}
+}
+
+@Article{	  gargantini.ea:metamodel-based:2008,
+  author	= {Angelo Gargantini and Elvinia Riccobene and Patrizia
+		  Scandurra},
+  title		= {A Metamodel-based Language and a Simulation Engine for
+		  Abstract State Machines},
+  journal	= j-ucs,
+  volume	= 14,
+  number	= 12,
+  year		= 2008,
+  pages		= {1949--1983},
+  abstract	= {In this paper, we present a concrete textual notation,
+		  called AsmetaL, and a general-purpose simulation engine,
+		  called AsmetaS, for Abstract State Machine (ASM)
+		  specifications. They have been developed as part of the
+		  ASMETA (ASMs mETAmodelling) toolset, which is a set of
+		  tools for ASMs based on the metamodelling approach of the
+		  Model-driven Engineering. We briefly present the ASMETA
+		  framework, and we discuss how the language and the
+		  simulator have been developed exploiting the advantages
+		  offered by the metamodelling approach. We introduce the
+		  language AsmetaL used to write ASM specifications, and we
+		  provide the AsmetaL encoding of ASM specifications of
+		  increasing complexity. We explain the AsmetaS architecture,
+		  its kernel engine, and how the simulator works within the
+		  ASMETA tool set. We discuss the features currently
+		  supported by the simulator and how it has been validated.}
+}
+
+@Manual{	  schmid:introduction:2001,
+  author	= {Joachim Schmid},
+  title		= {Introduction to {AsmGofer}},
+  year		= 2001
+}
+
+@InProceedings{	  miller.ea:czt:2005,
+  author	= {Tim Miller and Leo Freitas and Petra Malik and Mark
+		  Utting},
+  title		= {{CZT} Support for {Z} Extensions},
+  year		= 2005,
+  pages		= {227--245},
+  doi		= {10.1007/11589976_14},
+  crossref	= {romijn.ea:integrated:2005},
+  abstract	= {Community Z Tools (CZT) is an integrated framework for the
+		  Z formal specification language. In this paper, we show how
+		  it is also designed to support extensions of Z, in a way
+		  that minimises the work required to build a new Z
+		  extension. The goals of the framework are to maximise
+		  extensibility and reuse, and minimise code duplication and
+		  maintenance effort. To achieve these goals, CZT uses a
+		  variety of different reuse mechanisms, including generation
+		  of Java code from a hierarchy of XML schemas, XML templates
+		  for shared code, and several design patterns for maximising
+		  reuse of Java code. The CZT framework is being used to
+		  implement several integrated formal methods, which add
+		  object-orientation, real-time features and process algebra
+		  extensions to Z. The effort required to implement such
+		  extensions of Z has been dramatically reduced by using the
+		  CZT framework.}
+}
+
+@Proceedings{	  romijn.ea:integrated:2005,
+  editor	= {Judi Romijn and Graeme Smith and Jaco van de Pol},
+  booktitle	= {Integrated Formal Methods (IFM)},
+  location	= {Eindhoven, The Netherlands},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 3771,
+  year		= 2005,
+  isbn		= {3-540-30492-4}
+}
+
+@TechReport{	  ashley.ea:enterprise:2003,
+  author	= {Paul Ashley and Satoshi Hada and G{\"u}nter Karjoth and
+		  Calvin Powers and Matthias Schunter},
+  editor	= {Calvin Powers and Matthias Schunter},
+  title		= {Enterprise Privacy Authorization Language ({EPAL} 1.2)},
+  institution	= {IBM},
+  year		= 2003,
+  url		= {http://www.zurich.ibm.com/security/enterprise-privacy/epal}
+		  
+}
+
+@TechReport{	  cisc:securing:2008,
+  title		= {Securing Cyberspace for the 44th Presidency},
+  institution	= {Center for Strategic and International Studies (CSIS)},
+  month		= dec,
+  year		= 2008
+}
+
+@InProceedings{	  wei.ea:authorization:2008,
+  author	= {Qiang Wei and Jason Crampton and Konstantin Beznosov and
+		  Matei Ripeanu},
+  title		= {Authorization recycling in {RBAC} systems},
+  booktitle	= {ACM symposium on Access control models and technologies
+		  (SACMAT)},
+  year		= 2008,
+  isbn		= {978-1-60558-129-3},
+  pages		= {63--72},
+  location	= {Estes Park, CO, USA},
+  doi		= {10.1145/1377836.1377848},
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  abstract	= {As distributed applications increase in size and
+		  complexity, traditional authorization mechanisms based on a
+		  single policy decision point are increasingly fragile
+		  because this decision point represents a single point of
+		  failure and a performance bottleneck. Authorization
+		  recycling is one technique that has been used to address
+		  these challenges.
+		  
+		  This paper introduces and evaluates the mechanisms for
+		  authorization recycling in RBAC enterprise systems. The
+		  algorithms that support these mechanisms allow precise and
+		  approximate authorization decisions to be made, thereby
+		  masking possible failures of the policy decision point and
+		  reducing its load. We evaluate these algorithms
+		  analytically and using a prototype implementation. Our
+		  evaluation results demonstrate that authorization recycling
+		  can improve the performance of distributed access control
+		  mechanisms.}
+}
+
+@Article{	  karjoth:access:2003,
+  author	= {G{\"u}nter Karjoth},
+  title		= {Access control with {IBM} {Tivoli} access manager},
+  journal	= j-tissec,
+  publisher	= pub-acm,
+  address	= pub-acm:adr,
+  volume	= 6,
+  number	= 2,
+  year		= 2003,
+  pages		= {232--257},
+  doi		= {10.1145/762476.762479},
+  abstract	= {Web presence has become a key consideration for the
+		  majority of companies and other organizations. Besides
+		  being an essential information delivery tool, the Web is
+		  increasingly being regarded as an extension of the
+		  organization itself, directly integrated with its operating
+		  processes. As this transformation takes place, security
+		  grows in importance. IBM Tivoli Access Manager offers a
+		  shared infrastructure for authentication and access
+		  management, technologies that have begun to emerge in the
+		  commercial marketplace. This paper describes the
+		  Authorization Service provided by IBM Tivoli Access Manager
+		  for e-business (AM) and its use by AM family members as
+		  well as third-party applications. Policies are defined over
+		  a protected object namespace and stored in a database,
+		  which is managed via a management console and accessed
+		  through an Authorization API. The protected object
+		  namespace abstracts from heterogeneous systems and thus
+		  enables the definition of consistent policies and their
+		  centralized management. ACL inheritance and delegated
+		  management allow these policies to be managed efficiently.
+		  The Authorization API allows applications with their own
+		  access control requirements to decouple authorization logic
+		  from application logic. Policy checking can be externalized
+		  by using either a proxy that sits in front of the Web
+		  servers and application servers or a plug-in that examines
+		  the request. Thus, AM familiy members establish a single
+		  entry point to enforce enterprise policies that regulate
+		  access to corporate data.}
+}
+
+@Book{		  heijenoort:from:2002,
+  abstract	= {The fundamental texts of the great classical period in
+		  modern logic, some of them never before available in
+		  English translation, are here gathered together for the
+		  first time. Modern logic, heralded by Leibniz, may be said
+		  to have been initiated by Boole, De Morgan, and Jevons, but
+		  it was the publication in 1879 of Gottlob Frege's
+		  Begriffsschrift that opened a great epoch in the history of
+		  logic by presenting, in full-fledged form, the
+		  propositional calculus and quantification theory. Frege's
+		  book, translated in its entirety, begins the present
+		  volume. The emergence of two new fields, set theory and
+		  foundations of mathematics, on the borders of logic,
+		  mathematics, and philosophy, is depicted by the texts that
+		  follow. Peano and Dedekind illustrate the trend that led to
+		  Principia Mathematica. Burali-Forti, Cantor, Russell,
+		  Richard, and K\"{o}nig mark the appearance of the modern
+		  paradoxes. Hilbert, Russell, and Zermelo show various ways
+		  of overcoming these paradoxes and initiate, respectively,
+		  proof theory, the theory of types, and axiomatic set
+		  theory. Skolem generalizes L\"{o}wenheim's theorem, and he
+		  and Fraenkel amend Zermelo's axiomatization of set theory,
+		  while von Neumann offers a somewhat different system. The
+		  controversy between Hubert and Brouwer during the twenties
+		  is presented in papers of theirs and in others by Weyl,
+		  Bernays, Ackermann, and Kolmogorov. The volume concludes
+		  with papers by Herbrand and by G\"{o}del, including the
+		  latter's famous incompleteness paper. Of the forty-five
+		  contributions here collected all but five are presented in
+		  extenso. Those not originally written in English have been
+		  translated with exemplary care and exactness; the
+		  translators are themselves mathematical logicians as well
+		  as skilled interpreters of sometimes obscure texts. Each
+		  paper is introduced by a note that sets it in perspective,
+		  explains its importance, and points out difficulties in
+		  interpretation. Editorial comments and footnotes are
+		  interpolated where needed, and an extensive bibliography is
+		  included.},
+  author	= {Jean van Heijenoort},
+  howpublished	= {Paperback},
+  isbn		= 0674324498,
+  keywords	= {frege, godel, logic},
+  month		= {January},
+  posted-at	= {2006-05-07 22:17:38},
+  priority	= 2,
+  publisher	= {{Harvard University Press}},
+  title		= {From Frege to G{\"o}del : A Source Book in Mathematical
+		  Logic, 1879-1931 (Source Books in the History of the
+		  Sciences)},
+  year		= 2002
+}
+
+@InProceedings{	  kohler.ea:avoiding:2008,
+  author	= {Mathias Kohler and Andreas Schaad},
+  title		= {Avoiding Policy-based Deadlocks in Business Processes},
+  year		= 2008,
+  pages		= {709--716},
+  doi		= {10.1109/ARES.2008.131},
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  abstract	= {In the field of business process management, deadlocks
+		  describe a situation where a workflow execution is blocked
+		  and cannot be completed. We speak of policy-based deadlocks
+		  if such a situation is caused by unsatisfiable resource
+		  requirements due to security constraints specified as part
+		  of the business process. In this paper we propose a method
+		  to avoid policy-based deadlocks by analyzing a workflow's
+		  security constraints, determine the minimal required number
+		  of users, and provide an optimal user-activity assignment
+		  for a deadlock-free workflow execution. We will finally
+		  validate our proposed approach by applying it to a
+		  real-world scenario. },
+  booktitle	= {Third International Conference on Availability,
+		  Reliability and Security (ARES 2008)},
+  location	= {Technical University of Catalonia, Barcelona , Spain},
+  month		= mar
+}
+
+@InProceedings{	  modersheim.ea:open-source:2009,
+  author	= {Sebastian M{\"o}dersheim and Luca Vigan{\`o}},
+  title		= {The Open-Source Fixed-Point Model Checker for Symbolic
+		  Analysis of Security Protocols},
+  booktitle	= {FOSAD},
+  year		= 2009,
+  pages		= {166--194},
+  doi		= {10.1007/978-3-642-03829-7_6},
+  crossref	= {aldini.ea:foundations:2009}
+}
+
+@Proceedings{	  aldini.ea:foundations:2009,
+  editor	= {Alessandro Aldini and Gilles Barthe and Roberto Gorrieri},
+  title		= {Foundations of Security Analysis and Design V, FOSAD
+		  2007/2008/2009 Tutorial Lectures},
+  booktitle	= {FOSAD},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5705,
+  year		= 2009,
+  isbn		= {978-3-642-03828-0},
+  doi		= {10.1007/978-3-642-03829-7}
+}
+
+@Article{	  dolev.ea:security:1981,
+  author	= {D. Dolev and A. C. Yao},
+  title		= {On the security of public key protocols},
+  journal	= {Symposium on Foundations of Computer Science},
+  volume	= 0,
+  year		= 1981,
+  issn		= {0272-5428},
+  pages		= {350--357},
+  doi		= {10.1109/SFCS.1981.32},
+  publisher	= {IEEE Computer Society},
+  address	= {Los Alamitos, CA, USA}
+}
+
+@InProceedings{	  levin.ea:securing:2009,
+  author	= {Timothy E. Levin and Jeffrey S. Dwoskin and Ganesha
+		  Bhaskara and Thuy D. Nguyen and Paul C. Clark and Ruby B.
+		  Lee and Cynthia E. Irvine and Terry Benzel},
+  title		= {Securing the Dissemination of Emergency Response Data with
+		  an Integrated Hardware-Software Architecture},
+  year		= 2009,
+  pages		= {133--152},
+  doi		= {10.1007/978-3-642-00587-9_9},
+  crossref	= {chen.ea:trusted:2009},
+  abstract	= {During many crises, access to sensitive emergency-support
+		  information is required to save lives and property. For
+		  example, for effective evacuations first responders need
+		  the names and addresses of non-ambulatory residents. Yet,
+		  currently, access to such information may not be possible
+		  because government policy makers and third-party data
+		  providers lack confidence that today{\^a}s IT systems will
+		  protect their data. Our approach to the management of
+		  emergency information provides first responders with
+		  temporary, transient access to sensitive information, and
+		  ensures that the information is revoked after the
+		  emergency. The following contributions are presented: a
+		  systematic analysis of the basic forms of trusted
+		  communication supported by the architecture; a
+		  comprehensive method for secure, distributed emergency
+		  state management; a method to allow a userspace application
+		  to securely display data; a multifaceted system analysis of
+		  the confinement of emergency information and the secure and
+		  complete revocation of access to that information at the
+		  closure of an emergency.}
+}
+
+@Proceedings{	  chen.ea:trusted:2009,
+  editor	= {Liqun Chen and Chris J. Mitchell and Andrew Martin},
+  booktitle		= PROC # {International Conference on Trusted
+                  Computing (Trust)},
+  location		= {Trusted Computing, Second International Conference, Trust
+		  2009, Oxford, UK, April 6-8, 2009, Proceedings},
+  series	= s-lncs,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  volume	= 5471,
+  year		= 2009,
+  isbn		= {978-3-642-00586-2},
+  doi		= {10.1007/978-3-642-00587-9}
+}
+
+@Book{		  wunder.ea:verteilte:2009,
+  editor	= {Michael Wunder and J{\"u}rgen Grosche},
+  title		= {Verteilte F{\"u}hrungsinformationssysteme},
+  abstract	= {R{\"u}ckblick und Sachstand der technologischen Aspekte
+		  bei der Entwicklung verteilter
+		  F{\"u}hrungsinformationssysteme, einer zentralen Aufgabe in
+		  der Bundeswehr sowie bei Beh{\"o}rden und Organisationen
+		  mit Sicherheitsaufgeben (z.B. Polizei, Rettungskr{\"a}fte).
+		  
+		  Vornehmlich Wissenschaftler der Abteilung
+		  Informationstechnik f{\"u}r F{\"u}hrungssysteme des
+		  Forschungsinstituts f{\"u}r Kommunikation,
+		  Informationsverarbeitung und Ergonomie beschreiben
+		  basierend auf einer 40-j{\"a}hrigen Erfahrung in diesem
+		  Anwendungsgebiet Konzepte und Einzelaspekte bei der
+		  Gestaltung von F{\"u}hrungsinformationssystemen.
+		  Reflektiert werden aktuelle Problembereiche bei der
+		  Vernetzung unterschiedlicher Systeme, einer der derzeit
+		  gr{\"o}{\ss}ten Herausforderungen bei der Neugestaltung der
+		  Abl{\"a}ufe und Systeme in der Bundeswehr und in verwandten
+		  Einrichtungen. Dazu werden Informationsstrukturen und
+		  Prozesse untersucht, Systemarchitekturen ausgewertet und
+		  kombiniert sowie Laborstudien und Feldversuche beschrieben.
+		  
+		  In ca. 25 Beitr{\"a}gen wird eine L{\"u}cke in der
+		  verf{\"u}gbaren Literatur geschlossen, die der Vielzahl von
+		  Entwicklern und Anwendern einen Einblick in die aktuelle
+		  Lage und die zuk{\"u}nftigen Gestaltungsm{\"o}glichkeiten bietet.},
+  isbn		= {978-3-642-00508-4},
+  language	= {German},
+  doi		= {10.1007/978-3-642-00509-1},
+  year		= 2009,
+  publisher	= pub-springer,
+  address	= pub-springer:adr
+}
+
+@InProceedings{	  levin.ea:idea:2009,
+  author	= {Timothy E. Levin and Cynthia E. Irvine and Terry Benzel
+		  and Thuy D. Nguyen and Paul C. Clark and Ganesha Bhaskara},
+  title		= {Idea: Trusted Emergency Management},
+  booktitle	= {ESSoS},
+  year		= 2009,
+  pages		= {32--36},
+  doi		= {10.1007/978-3-642-00199-4_3},
+  abstract	= {Through first-responder access to sensitive information
+		  for which they have not been pre-vetted, lives and property
+		  can be saved. We describe enhancements to a trusted
+		  emergency information management (EIM) system that securely
+		  allows for extraordinary access to sensitive information
+		  during a crisis. A major component of the architecture is
+		  the end-user device, the security of which is enhanced with
+		  processor-level encryption of memory. This paper introduces
+		  an approach to more efficiently use the
+		  processor-encryption feature for secure data storage, as
+		  well as ISA instructions for the management of emergency
+		  state.},
+  crossref	= {massacci.ea:engineering:2009}
+}
+
+@Proceedings{	  massacci.ea:engineering:2009,
+  editor	= {Fabio Massacci and Samuel T. Redwine Jr. and Nicola
+		  Zannone},
+  title		= {Engineering Secure Software and Systems, First
+		  International Symposium ESSoS 2009, Leuven, Belgium,
+		  February 4-6, 2009. Proceedings},
+  booktitle	= {ESSoS},
+  volume	= 5429,
+  year		= 2009,
+  isbn		= {978-3-642-00198-7},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  doi		= {10.1007/978-3-642-00199-4}
+}
+
+@Article{	  phan.ea:survey:2008,
+  author	= {Tan Phan and Jun Han and Jean-Guy Schneider and Tim
+		  Ebringer and Tony Rogers},
+  title		= {A Survey of Policy-Based Management Approaches for Service
+		  Oriented Systems},
+  journal	= {Australian Software Engineering Conference},
+  volume	= 0,
+  year		= 2008,
+  issn		= {1530-0803},
+  pages		= {392--401},
+  doi		= {10.1109/ASWEC.2008.56},
+  address	= pub-ieee:adr,
+  publisher	= pub-ieee,
+  abstract	= {Policy based management in Service Oriented Architecture
+		  (SOA) allows organizations to apply rules and regulations
+		  on their business processes. Policy has long been employed
+		  in the management of traditional distributed systems and
+		  many policy frameworks have been proposed. However,SOA
+		  differs in several aspects to traditional systems; thus,
+		  there is a unique set of requirements for an effective SOA
+		  policy system. In this paper, we evaluate five popular
+		  policy frameworks which are IETF, Ponder, KAoS, Rei and
+		  WS-Policy against a number of general and SOA-specific
+		  criteria to identify what features of these existing
+		  systems can be adopted for SOA and what are not. We then,
+		  based on their feature sets, discuss the applicability of
+		  the frameworks for SOA management.}
+}
+
+@InProceedings{	  sevinc.ea:securing:2007,
+  author	= {Paul E. Sevin\c{c} and Mario Strasser and David A. Basin},
+  title		= {Securing the Distribution and Storage of Secrets with
+		  Trusted Platform Modules},
+  booktitle	= {WISTP},
+  year		= 2007,
+  pages		= {53--66},
+  doi		= {10.1007/978-3-540-72354-7_5},
+  crossref	= {sauveron.ea:information:2007},
+  abstract	= {We present a protocol that allows servers to securely
+		  distribute secrets to trusted platforms. The protocol
+		  maintains the confidentiality of secrets in the face of
+		  eavesdroppers and careless users. Given an ideal
+		  (tamper-proof) trusted platform, the protocol can even
+		  withstand attacks by dishonest users. As an example of its
+		  use, we present an application to secure document
+		  processing.}
+}
+
+@Proceedings{	  sauveron.ea:information:2007,
+  editor	= {Damien Sauveron and Constantinos Markantonakis and Angelos
+		  Bilas and Jean-Jacques Quisquater},
+  title		= {Information Security Theory and Practices. Smart Cards,
+		  Mobile and Ubiquitous Computing Systems, First IFIP TC6 /
+		  WG 8.8 / WG 11.2 International Workshop, WISTP 2007,
+		  Heraklion, Crete, Greece, May 9-11, 2007, Proceedings},
+  booktitle	= {WISTP},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4462,
+  year		= 2007,
+  isbn		= {978-3-540-72353-0}
+}
+
+@InProceedings{	  liu.ea:fabric:2009,
+  author	= {Jed Liu and Michael D. George and K. Vikram and Xin Qi and
+		  Lucas Waye and Andrew C. Myers},
+  title		= {Fabric: a platform for secure distributed computation and
+		  storage},
+  booktitle	= {SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on
+		  Operating systems principles},
+  year		= 2009,
+  isbn		= {978-1-60558-752-3},
+  pages		= {321--334},
+  location	= {Big Sky, Montana, USA},
+  doi		= {10.1145/1629575.1629606},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {Fabric is a new system and language for building secure
+		  distributed information systems. It is a decentralized
+		  system that allows heterogeneous network nodes to securely
+		  share both information and computation resources despite
+		  mutual distrust. Its high-level programming language makes
+		  distribution and persistence largely transparent to
+		  programmers. Fabric supports data-shipping and
+		  function-shipping styles of computation: both computation
+		  and information can move between nodes to meet security
+		  requirements or to improve performance. Fabric provides a
+		  rich, Java-like object model, but data resources are
+		  labeled with confidentiality and integrity policies that
+		  are enforced through a combination of compile-time and
+		  run-time mechanisms. Optimistic, nested transactions ensure
+		  consistency across all objects and nodes. A peer-to-peer
+		  dissemination layer helps to increase availability and to
+		  balance load. Results from applications built using Fabric
+		  suggest that Fabric has a clean, concise programming model,
+		  offers good performance, and enforces security.}
+}
+
+@InProceedings{	  ferreira.ea:how:2009,
+  author	= {Ana Ferreira and David Chadwick and Pedro Farinha and
+		  Gansen Zhao and Rui Chilro and Ricardo Cruz-Correia and
+		  Luis Antunes},
+  title		= {How to securely break into RBAC: the BTG-RBAC model},
+  booktitle	= {Annual Computer Security Applications Conference (ACSAC)},
+  year		= 2009,
+  abstract	= {Access control models describe frameworks that dictate how
+		  subjects (e.g. users) access resources. In the Role-Based
+		  Access Control (RBAC) model access to resources is based on
+		  the role the user holds within the organization. Although
+		  flexible and easier to manage within large-scale
+		  authorization frameworks, RBAC is usually a static model
+		  where access control decisions have only two output
+		  options: Grant or Deny. Break The Glass (BTG) policies can
+		  be provided in order to break or override the access
+		  controls within an access control policy but in a
+		  controlled and justifiable manner. The main objective of
+		  this paper is to integrate BTG within the NIST/ANSI RBAC
+		  model in a transparent and secure way so that it can be
+		  adopted generically in any domain where unanticipated or
+		  emergency situations may occur. The new proposed model,
+		  called BTG-RBAC, provides a third decision option BTG. This
+		  allows break the glass policies to be implemented in any
+		  application without any major changes to either the
+		  application or the RBAC authorization infrastructure, apart
+		  from the decision engine. Finally, in order to validate the
+		  model, we discuss how the BTG-RBAC model is being
+		  introduced within a Portuguese healthcare institution where
+		  the legislation requires that genetic information must be
+		  accessed by a restricted group of healthcare professionals.
+		  These professionals, advised by the ethical committee, have
+		  required and asked for the implementation of the BTG
+		  concept in order to comply with the said legislation.}
+}
+
+@Article{	  moggi:notions:1991,
+  author	= {Eugenio Moggi},
+  title		= {Notions of Computation and Monads},
+  journal	= {Information and Computation},
+  volume	= 93,
+  number	= 1,
+  year		= 1991,
+  pages		= {55--92}
+}
+
+@InProceedings{	  wadler:monads:1995,
+  author	= {Philip Wadler},
+  title		= {Monads for Functional Programming},
+  booktitle	= {Advanced Functional Programming},
+  year		= 1995,
+  pages		= {24--52},
+  crossref	= {jeuring.ea:advanced:1995}
+}
+
+@Proceedings{	  jeuring.ea:advanced:1995,
+  editor	= {Johan Jeuring and Erik Meijer},
+  title		= {Advanced Functional Programming, First International
+		  Spring School on Advanced Functional Programming
+		  Techniques, B{\aa}stad, Sweden, May 24-30, 1995, Tutorial
+		  Text},
+  booktitle	= {Advanced Functional Programming},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 925,
+  year		= 1995,
+  isbn		= {3-540-59451-5}
+}
+
+@InProceedings{	  grieskamp.ea:model-based:2008,
+  author	= {Wolfgang Grieskamp and Nicolas Kicillof and Dave MacDonald
+		  and Alok Nandan and Keith Stobie and Fred L. Wurden},
+  title		= {Model-Based Quality Assurance of Windows Protocol
+		  Documentation},
+  booktitle	= {Software Testing, Verification, and Validation (ICST)},
+  year		= 2008,
+  pages		= {502--506},
+  doi		= {10.1109/ICST.2008.50},
+  abstract	= {Microsoft is producing high-quality documentation for
+		  Windows client-server and server-server protocols. Our
+		  group in the Windows organization is responsible for
+		  verifying the documentation to ensure it is of the highest
+		  quality. We are applying various test-driven methods
+		  including, when appropriate, a model-based approach. This
+		  paper describes certain aspects of the quality assurance
+		  process we put in place, and specifically focuses on
+		  model-based testing (MBT). Our experiences so far confirm
+		  that MBT works and that it scales, provided it is
+		  accompanied by sound tool support and clear methodological
+		  guidance.},
+  location	= {Lillehammer, Norway, April 9-11, 2008},
+  volume	= 0,
+  isbn		= {978-0-7695-3127-4},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr
+}
+
+@InProceedings{	  berghofer.ea:random:2004,
+  author	= {Stefan Berghofer and Tobias Nipkow},
+  title		= {Random Testing in Isabelle/HOL},
+  booktitle	= {Software Engineering and Formal Methods (SEFM)},
+  year		= 2004,
+  pages		= {230--239},
+  doi		= {10.1109/SEFM.2004.36},
+  abstract	= {When developing non-trivial formalizations in a theorem
+		  prover, a considerable amount of time is devoted to
+		  "debugging" specifications and conjectures by failed proof
+		  attempts. To detect such problems early in the proof and
+		  save development time, we have extended the Isabelle
+		  theorem prover with a tool for testing specifications by
+		  evaluating propositions under an assignment of random
+		  values to free variables. Distribution of the test data is
+		  optimized via mutation testing. The technical contributions
+		  are an extension of earlier work with inductive definitions
+		  and a generic method for randomly generating elements of
+		  recursive datatypes.},
+  location	= {28-30 September 2004, Beijing, China},
+  publisher	= pub-ieee,
+  address	= pub-ieee:adr,
+  isbn		= {0-7695-2222-X}
+}
+
+@TechReport{	  gallaher.ea:economic:2002,
+  institution	= {National Institute of Standards \& Technology},
+  number	= {Planning Report 02-03},
+  year		= 2002,
+  month		= may,
+  author	= {M.P. Gallaher and B.M. Kropp},
+  title		= {The Economic Impacts of Inadequate Infrastructure for
+		  Software Testing},
+  abstract	= {Software has become an intrinsic part of business over the
+		  last decade. Virtually every business in the U.S. in every
+		  sector depends on it to aid in the development, production,
+		  marketing, and support of its products and services.
+		  Advances in computers and related technology have provided
+		  the building blocks on which new industries have evolved.
+		  Innovations in the fields of robotic manufacturing,
+		  nanotechnologies, and human genetics research all have been
+		  enabled by low cost computational and control capabilities
+		  supplied by computers and software. In 2000, total sales of
+		  software reached approximately \$180 billion. Rapid growth
+		  has created a significant and high-paid workforce, with
+		  697,000 employed as software engineers and an additional
+		  585,000 as computer programmers. Reducing the cost of
+		  software development and improving software quality are
+		  important objectives of the U.S. software industry.
+		  However, the complexity of the underlying software needed
+		  to support the U.S.'s computerized economy is increasing at
+		  an alarming rate. The size of software products is no
+		  longer measured in terms of thousands of lines of code, but
+		  millions of lines of code. This increasing complexity along
+		  with a decreasing average market life expectancy for many
+		  software products has heightened concerns over software
+		  quality.}
+}
+
+@InProceedings{	tej.ea:corrected:1997,
+  author	= {Haykal Tej and Burkhart Wolff},
+  title		= {A Corrected Failure Divergence Model for {CSP} in
+		  {Isabelle/HOL}},
+  year		= 1997,
+  pages		= {318--337},
+  doi		= {10.1007/3-540-63533-5_17},
+  abstract	= {We present a failure-divergence model for CSP following
+		  the concepts of [BR 85]. Its formal representation within
+		  higher order logic in the theorem prover Isabelle/HOL [Pau
+		  94] revealed an error in the basic definition of CSP
+		  concerning the treatment of the termination symbol tick. A
+		  corrected model has been formally proven consistent with
+		  Isabelle/HOL. Moreover, the changed version maintains the
+		  essential algebraic properties of CSP. As a result, there
+		  is a proven correct implementation of a ldquoCSP
+		  workbenchrdquo within Isabelle.},
+  crossref	= {fitzgerald.ea:formal:1997}
+}
+
+@Proceedings{	  fitzgerald.ea:formal:1997,
+  editor	= {John S. Fitzgerald and Cliff B. Jones and Peter Lucas},
+  booktitle	= {Formal Methods Europe (FME)},
+  location	= {Graz, Austria, September 15-19, 1997, Proceedings},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 1313,
+  year		= 1997,
+  isbn		= {3-540-63533-5}
+}
+
+@InProceedings{	  bentakouk.ea:formal:2009,
+  author	= {Lina Bentakouk and Pascal Poizat and Fatiha Za\"{\i}di},
+  title		= {A Formal Framework for Service Orchestration Testing Based
+		  on Symbolic Transition Systems},
+  year		= 2009,
+  pages		= {16--32},
+  doi		= {10.1007/978-3-642-05031-2_2},
+  crossref	= {nunez.ea:testing:2009},
+  abstract	= {The pre-eminent role played by software composition, and
+		  more particularly service composition, in modern software
+		  development, together with the complexity of workflow
+		  languages such as WS-BPEL have made composite service
+		  testing a topical issue. In this article we contribute to
+		  this issue with an automatic testing approach for WS-BPEL
+		  orchestrations. Compared to related work, we support
+		  WS-BPEL data computations and exchanges, while overcoming
+		  the consequential state explosion problem. This is achieved
+		  through the use of symbolic transition system models and
+		  their symbolic execution. Throughout the article, we
+		  illustrate our approach on a realistic medium-size example.
+		  
+		  }
+}
+
+@Proceedings{	  nunez.ea:testing:2009,
+  editor	= {Manuel N{\'u}{\~n}ez and Paul Baker and Mercedes G. Merayo},
+  title		= {Testing of Software and Communication Systems, 21st IFIP
+		  WG 6.1 International Conference, TESTCOM 2009 and 9th
+		  International Workshop, FATES 2009, Eindhoven, The
+		  Netherlands, November 2-4, 2009. Proceedings},
+  booktitle	= {TestCom/FATES},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5826,
+  year		= 2009,
+  isbn		= {978-3-642-05030-5},
+  doi		= {10.1007/978-3-642-05031-2}
+}
+
+@InProceedings{	  anand.ea:demand-driven:2008,
+  author	= {Saswat Anand and Patrice Godefroid and Nikolai Tillmann},
+  title		= {Demand-Driven Compositional Symbolic Execution},
+  booktitle	= {TACAS},
+  year		= 2008,
+  pages		= {367--381},
+  doi		= {10.1007/978-3-540-78800-3_28},
+  crossref	= {ramakrishnan.ea:tools:2008},
+  abstract	= {We discuss how to perform symbolic execution of large
+		  programs in a manner that is both compositional (hence more
+		  scalable) and demand-driven. Compositional symbolic
+		  execution means finding feasible interprocedural program
+		  paths by composing symbolic executions of feasible
+		  intraprocedural paths. By demand-driven, we mean that as
+		  few intraprocedural paths as possible are symbolically
+		  executed in order to form an interprocedural path leading
+		  to a specific target branch or statement of interest (like
+		  an assertion). A key originality of this work is that our
+		  demand-driven compositional interprocedural symbolic
+		  execution is performed entirely using first-order logic
+		  formulas solved with an off-the-shelf SMT
+		  (Satisfiability-Modulo-Theories) solver {\^a} no procedure
+		  in-lining or custom algorithm is required for the
+		  interprocedural part. This allows a uniform and elegant way
+		  of summarizing procedures at various levels of detail and
+		  of composing those using logic formulas. We have
+		  implemented a prototype of this novel symbolic execution
+		  technique as an extension of Pex, a general automatic
+		  testing framework for .NET applications. Preliminary
+		  experimental results are encouraging. For instance, our
+		  prototype was able to generate tests triggering assertion
+		  violations in programs with large numbers of program paths
+		  that were beyond the scope of non-compositional test
+		  generation. }
+}
+
+@Proceedings{	  ramakrishnan.ea:tools:2008,
+  editor	= {C. R. Ramakrishnan and Jakob Rehof},
+  title		= {Tools and Algorithms for the Construction and Analysis of
+		  Systems, 14th International Conference, TACAS 2008, Held as
+		  Part of the Joint European Conferences on Theory and
+		  Practice of Software, ETAPS 2008, Budapest, Hungary, March
+		  29-April 6, 2008. Proceedings},
+  booktitle	= {TACAS},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4963,
+  year		= 2008,
+  isbn		= {978-3-540-78799-0}
+}
+
+@InProceedings{	  boyapati.ea:korat:2002,
+  author	= {Chandrasekhar Boyapati and Sarfraz Khurshid and Darko
+		  Marinov},
+  title		= {{Korat}: automated testing based on {Java} predicates},
+  booktitle	= {ISSTA},
+  year		= 2002,
+  pages		= {123--133},
+  doi		= {10.1145/566172.566191},
+  abstract	= {This paper presents Korat, a novel framework for automated
+		  testing of Java programs. Given a formal specification for
+		  a method, Korat uses the method precondition to
+		  automatically generate all (nonisomorphic) test cases up to
+		  a given small size. Korat then executes the method on each
+		  test case, and uses the method postcondition as a test
+		  oracle to check the correctness of each output.To generate
+		  test cases for a method, Korat constructs a Java predicate
+		  (i.e., a method that returns a boolean) from the method's
+		  pre-condition. The heart of Korat is a technique for
+		  automatic test case generation: given a predicate and a
+		  bound on the size of its inputs, Korat generates all
+		  (nonisomorphic) inputs for which the predicate returns
+		  true. Korat exhaustively explores the bounded input space
+		  of the predicate but does so efficiently by monitoring the
+		  predicate's executions and pruning large portions of the
+		  search space.This paper illustrates the use of Korat for
+		  testing several data structures, including some from the
+		  Java Collections Framework. The experimental results show
+		  that it is feasible to generate test cases from Java
+		  predicates, even when the search space for inputs is very
+		  large. This paper also compares Korat with a testing
+		  framework based on declarative specifications. Contrary to
+		  our initial expectation, the experiments show that Korat
+		  generates test cases much faster than the declarative
+		  framework.}
+}
+
+@Article{	  visser.ea:model:2003,
+  author	= {Willem Visser and Klaus Havelund and Guillaume P. Brat and
+		  Seungjoon Park and Flavio Lerda},
+  title		= {Model Checking Programs},
+  journal	= {Autom. Softw. Eng.},
+  volume	= 10,
+  number	= 2,
+  year		= 2003,
+  pages		= {203--232},
+  doi		= {10.1023/A:1022920129859},
+  abstract	= {The majority of work carried out in the formal methods
+		  community throughout the last three decades has (for good
+		  reasons) been devoted to special languages designed to make
+		  it easier to experiment with mechanized formal methods such
+		  as theorem provers, proof checkers and model checkers. In
+		  this paper we will attempt to give convincing arguments for
+		  why we believe it is time for the formal methods community
+		  to shift some of its attention towards the analysis of
+		  programs written in modern programming languages. In
+		  keeping with this philosophy we have developed a
+		  verification and testing environment for Java, called Java
+		  PathFinder (JPF), which integrates model checking, program
+		  analysis and testing. Part of this work has consisted of
+		  building a new Java Virtual Machine that interprets Java
+		  bytecode. JPF uses state compression to handle big states,
+		  and partial order and symmetry reduction, slicing,
+		  abstraction, and runtime analysis techniques to reduce the
+		  state space. JPF has been applied to a real-time avionics
+		  operating system developed at Honeywell, illustrating an
+		  intricate error, and to a model of a spacecraft controller,
+		  illustrating the combination of abstraction, runtime
+		  analysis, and slicing with model checking.}
+}
+
+@InProceedings{	  bjorner.ea:path:2009,
+  author	= {Nikolaj Bj{\o}rner and Nikolai Tillmann and Andrei
+		  Voronkov},
+  title		= {Path Feasibility Analysis for String-Manipulating
+		  Programs},
+  booktitle	= {TACAS},
+  year		= 2009,
+  pages		= {307--321},
+  doi		= {10.1007/978-3-642-00768-2_27},
+  crossref	= {kowalewski.ea:tools:2009},
+  abstract	= {We discuss the problem of path feasibility for programs
+		  manipulating strings using a collection of standard string
+		  library functions. We prove results on the complexity of
+		  this problem, including its undecidability in the general
+		  case and decidability of some special cases. In the context
+		  of test-case generation, we are interested in an efficient
+		  finite model finding method for string constraints. To this
+		  end we develop a two-tier finite model finding procedure.
+		  First, an integer abstraction of string constraints are
+		  passed to an SMT (Satisfiability Modulo Theories) solver.
+		  The abstraction is either unsatisfiable, or the solver
+		  produces a model that fixes lengths of enough strings to
+		  reduce the entire problem to be finite domain. The
+		  resulting fixed-length string constraints are then solved
+		  in a second phase. We implemented the procedure in a
+		  symbolic execution framework, report on the encouraging
+		  results and discuss directions for improving the method
+		  further.}
+}
+
+@Proceedings{	  kowalewski.ea:tools:2009,
+  editor	= {Stefan Kowalewski and Anna Philippou},
+  title		= {Tools and Algorithms for the Construction and Analysis of
+		  Systems, 15th International Conference, TACAS 2009, Held as
+		  Part of the Joint European Conferences on Theory and
+		  Practice of Software, ETAPS 2009, York, UK, March 22-29,
+		  2009. Proceedings},
+  booktitle	= {TACAS},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5505,
+  year		= 2009,
+  isbn		= {978-3-642-00767-5},
+  doi		= {10.1007/978-3-642-00768-2}
+}
+
+@InProceedings{	  huima:implementing:2007,
+  author	= {Antti Huima},
+  title		= {Implementing Conformiq Qtronic},
+  booktitle	= {TestCom/FATES},
+  year		= 2007,
+  pages		= {1--12},
+  doi		= {10.1007/978-3-540-73066-8_1},
+  crossref	= {petrenko.ea:testing:2007},
+  abstract	= {Conformiq Qtronic is a commercial tool for model driven
+		  testing. It derives tests automatically from behavioral
+		  system models. These are black-box tests [1] by nature,
+		  which means that they depend on the model and the
+		  interfaces of the system under test, but not on the
+		  internal structure (e.g. source code) of the
+		  implementation. In this essay, which accompanies my invited
+		  talk, I survey the nature of Conformiq Qtronic, the main
+		  implementation challenges that we have encountered and how
+		  we have approached them.}
+}
+
+@Proceedings{	  petrenko.ea:testing:2007,
+  editor	= {Alexandre Petrenko and Margus Veanes and Jan Tretmans and
+		  Wolfgang Grieskamp},
+  title		= {Testing of Software and Communicating Systems, 19th IFIP
+		  TC6/WG6.1 International Conference, TestCom 2007, 7th
+		  International Workshop, FATES 2007, Tallinn, Estonia, June
+		  26-29, 2007, Proceedings},
+  booktitle	= {TestCom/FATES},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4581,
+  year		= 2007,
+  isbn		= {978-3-540-73065-1}
+}
+
+@InProceedings{	  tretmans.ea:torx:2003,
+  howpublished	= {http://eprints.eemcs.utwente.nl/9475/},
+  month		= {December},
+  author	= {G. J. Tretmans and H. Brinksma},
+  booktitle	= {First European Conference on Model-Driven Software
+		  Engineering, Nuremberg, Germany},
+  editor	= {A. Hartman and K. Dussa-Ziegler},
+  abstract	= {Systematic testing is very important for assessing and
+		  improving the quality of software systems. Yet, testing
+		  turns out to be expensive, laborious, time-consuming and
+		  error-prone. The Dutch research and development project
+		  C\^ote de Resyste worked on methods, techniques and tools
+		  for automating specification based testing using formal
+		  methods. The main achievement of the project is a test
+		  tool, baptized TorX, which integrates automatic test
+		  generation, test execution, and test analysis in an
+		  on-the-fly manner. On the one hand, TorX is based on
+		  well-defined theory, viz. the ioco-test theory, which has
+		  its roots in the theory of testing- and
+		  refusal-equivalences for transition systems. On the other
+		  hand, the applicability of TorX has been demonstrated by
+		  testing several academic and industrial case studies. This
+		  paper summarizes the main results of the project C\^ote de
+		  Resyste.},
+  title		= {TorX: Automated Model-Based Testing},
+  year		= 2003,
+  pages		= {31--43},
+  location	= {Nuremberg, Germany},
+  trnumber	= 9475,
+  event_dates	= {December 11-12, 2003},
+  num_pages	= 13
+}
+
+@InProceedings{	  jaffuel.ea:leirios:2007,
+  author	= {Eddie Jaffuel and Bruno Legeard},
+  title		= {LEIRIOS Test Generator: Automated Test Generation from B
+		  Models},
+  booktitle	= {B},
+  year		= 2007,
+  pages		= {277--280},
+  doi		= {10.1007/11955757_29},
+  crossref	= {julliand.ea:b:2006},
+  abstract	= {Since 2003, automated test generation from B abstract
+		  machines has been trying out in the smart card industry,
+		  using LEIRIOS Test Generator (LTG) for SmartCard tool. Now
+		  the major card manufacturers, such as Gemalto and Giesecke
+		  & Devrient, are regularly deploying model-based testing in
+		  their validation processes. The purpose is black-box
+		  functional testing: from the specifications (a standard or
+		  specific requirements), a B formal model is developed which
+		  is the basis for test generation. Generated test cases are
+		  then translated into executable test scripts and then run
+		  on the application.}
+}
+
+@Proceedings{	  julliand.ea:b:2006,
+  editor	= {Jacques Julliand and Olga Kouchnarenko},
+  title		= {B 2007: Formal Specification and Development in B, 7th
+		  International Conference of B Users, Besan\c{c}on, France,
+		  January 17-19, 2007, Proceedings},
+  booktitle	= {B},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 4355,
+  year		= 2006,
+  isbn		= {3-540-68760-2}
+}
+
+@InProceedings{	  hu.ea:enabling:2008,
+  author	= {Hongxin Hu and Gail-Joon Ahn},
+  title		= {Enabling verification and conformance testing for access
+		  control model},
+  booktitle	= {ACM symposium on Access control models and technologies
+		  (SACMAT)},
+  year		= 2008,
+  isbn		= {978-1-60558-129-3},
+  pages		= {195--204},
+  location	= {Estes Park, CO, USA},
+  doi		= {10.1145/1377836.1377867},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {Verification and testing are the important step for
+		  software assurance. However, such crucial and yet
+		  challenging tasks have not been widely adopted in building
+		  access control systems. In this paper we propose a
+		  methodology to support automatic analysis and conformance
+		  testing for access control systems, integrating those
+		  features to Assurance Management Framework (AMF). Our
+		  methodology attempts to verify formal specifications of a
+		  role-based access control model and corresponding policies
+		  with selected security properties. Also, we systematically
+		  articulate testing cases from formal specifications and
+		  validate conformance to the system design and
+		  implementation using those cases. In addition, we
+		  demonstrate feasibility and effectiveness of our
+		  methodology using SAT and Alloy toolset.}
+}
+
+@Article{	  grindal.ea:combination:2005,
+  author	= {Mats Grindal and Jeff Offutt and Sten F. Andler},
+  title		= {Combination testing strategies: a survey},
+  journal	= {Softw. Test., Verif. Reliab.},
+  volume	= 15,
+  number	= 3,
+  year		= 2005,
+  pages		= {167--199},
+  doi		= {10.1002/stvr.319},
+  abstract	= {Combination strategies are test case selection methods
+		  that identify test cases by combining values of the
+		  different test object input parameters based on some
+		  combinatorial strategy. This survey presents 16 different
+		  combination strategies, covering more than 40 papers that
+		  focus on one or several combination strategies. This
+		  collection represents most of the existing work performed
+		  on combination strategies. This survey describes the basic
+		  algorithms used by the combination strategies. Some
+		  properties of combination strategies, including coverage
+		  criteria and theoretical bounds on the size of test suites,
+		  are also included in this description. This survey paper
+		  also includes a subsumption hierarchy that attempts to
+		  relate the various coverage criteria associated with the
+		  identified combination strategies.}
+}
+
+@InProceedings{	  goga:comparing:2001,
+  author	= {Nicolae Goga},
+  title		= {Comparing TorX, Autolink, TGV and UIO Test Algorithms},
+  booktitle	= {SDL Forum},
+  year		= 2001,
+  pages		= {379--402},
+  doi		= {10.1007/3-540-48213-X},
+  crossref	= {reed.ea:sdl:2001},
+  abstract	= {This paper presents a comparison of four algorithms for
+		  test derivation: TorX, TGV, Autolink and UIO algorithms.
+		  The algorithms are classified according to the detection
+		  power of their conformance rela- tions. Because Autolink
+		  does not have an explicit conformance relation, a
+		  conformance relation is reconstructed for it. The
+		  experimental results obtained by applying TorX, Autolink,
+		  UIO and TGV to the Conference Protocol case study are
+		  consistent with the theoretical results of this paper.}
+}
+
+@Proceedings{	  reed.ea:sdl:2001,
+  editor	= {Rick Reed and Jeanne Reed},
+  title		= {SDL 2001: Meeting UML, 10th International SDL Forum
+		  Copenhagen, Denmark, June 27-29, 2001, Proceedings},
+  booktitle	= {SDL Forum},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2078,
+  year		= 2001,
+  isbn		= {3-540-42281-1}
+}
+
+@InProceedings{	  belinfante.ea:tools:2004,
+  author	= {Axel Belinfante and Lars Frantzen and Christian
+		  Schallhart},
+  title		= {Tools for Test Case Generation},
+  booktitle	= {Model-Based Testing of Reactive Systems},
+  year		= 2004,
+  pages		= {391--438},
+  doi		= {10.1007/11498490_18},
+  crossref	= {broy.ea:model-based:2005}
+}
+
+@Proceedings{	  broy.ea:model-based:2005,
+  editor	= {Manfred Broy and Bengt Jonsson and Joost-Pieter Katoen and
+		  Martin Leucker and Alexander Pretschner},
+  title		= {Model-Based Testing of Reactive Systems, Advanced Lectures
+		  [The volume is the outcome of a research seminar that was
+		  held in Schloss Dagstuhl in January 2004]},
+  booktitle	= {Model-Based Testing of Reactive Systems},
+  volume	= 3472,
+  year		= 2005,
+  isbn		= {3-540-26278-4},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs
+}
+
+@InProceedings{	  gardner.ea:securing:2009,
+  author	= {Ryan W. Gardner and Sujata Garera and Matthew W. Pagano
+		  and Matthew Green and Aviel D. Rubin},
+  title		= {Securing medical records on smart phones},
+  booktitle	= {ACM workshop on Security and privacy in medical and
+		  home-care systems (SPIMACS)},
+  year		= 2009,
+  isbn		= {978-1-60558-790-5},
+  pages		= {31--40},
+  location	= {Chicago, Illinois, USA},
+  doi		= {10.1145/1655084.1655090},
+  address	= pub-acm:adr,
+  publisher	= pub-acm,
+  abstract	= {There is an inherent conflict between the desire to
+		  maintain privacy of one's medical records and the need to
+		  make those records available during an emergency. To
+		  satisfy both objectives, we introduce a flexible
+		  architecture for the secure storage of medical records on
+		  smart phones. In our system, a person can view her records
+		  at any time, and emergency medical personnel can view the
+		  records as long as the person is present (even if she is
+		  unconscious). Our solution allows for efficient revocation
+		  of access rights and is robust against adversaries who can
+		  access the phone's storage offline.}
+}
+
+
+@Article{	  govaerts.ea:formal:2008,
+  author	= {John Govaerts and Arosha K. Bandara and Kevin Curran},
+  title		= {A formal logic approach to firewall packet filtering
+		  analysis and generation},
+  journal	= {Artif. Intell. Rev.},
+  volume	= 29,
+  number	= {3-4},
+  year		= 2008,
+  pages		= {223--248},
+  doi		= {10.1007/s10462-009-9147-0},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  abstract	= {Recent years have seen a significant increase in the usage
+		  of computers and their capabilities to communicate with
+		  each other. With this has come the need for more security
+		  and firewalls have proved themselves an important piece of
+		  the overall architecture, as the body of rules they
+		  implement actually realises the security policy of their
+		  owners. Unfor- tunately, there is little help for their
+		  administrators to understand the actual meaning of the
+		  firewall rules. This work shows that formal logic is an
+		  important tool in this respect, because it is particularly
+		  apt at modelling real-world situations and its formalism is
+		  conductive to reason about such a model. As a consequence,
+		  logic may be used to prove the properties of the models it
+		  represents and is a sensible way to go in order to create
+		  those models on com- puters to automate such activities. We
+		  describe here a prototype which includes a description of a
+		  network and the body of firewall rules applied to its
+		  components. We were able to detect a number of anomalies
+		  within the rule-set: inexistent elements (e.g. hosts or
+		  services on destination components), redundancies in rules
+		  defining the same action for a network and hosts belonging
+		  to it, irrelevance as rules would involve traffic that
+		  would not pass through a filtering device, and
+		  contradiction in actions applied to elements or to a
+		  network and its hosts. The prototype produces actual
+		  firewall rules as well, generated from the model and
+		  expressed in the syntax of IPChains and Cisco's PIX. }
+}
+
+@InProceedings{	  jalili.ea:specification:2002,
+  author	= {Rasool Jalili and Mohsen Rezvani},
+  title		= {Specification and Verification of Security Policies in
+		  Firewalls},
+  booktitle	= {EurAsia-ICT},
+  year		= 2002,
+  pages		= {154--163},
+  doi		= {10.1007/3-540-36087-5_18},
+  crossref	= {shafazand.ea:eurasia-ict:2002},
+  abstract	= {Rules are used as a way of managing and configuring
+		  firewalls to fulfill security requirements in most cases.
+		  Managers have to specify their organizational security
+		  policies using low level and order-dependent rules.
+		  Furthermore, dependency of firewalls to the network
+		  topology, frequent changes in network topology (specially
+		  in dynamic networks), and lack of a method for analysis and
+		  verification of specified security policy may reduce to
+		  inconsistencies and security holes. Existence of a higher
+		  level environment for security policy specification can
+		  rectify part of the problems. In this paper we present a
+		  language for high level and formal specification of
+		  security policy in firewalls. Using the language, a
+		  security manager can configure its firewall based on his
+		  required security policy independent of the network
+		  topology. The language is used as a framework for analysis
+		  and verification of security policies. We designed and
+		  implemented a tool based on theorem proving for detecting
+		  inconsistencies, coverage, as well as applying a query on
+		  the specified policy. Results of analysis can be used to
+		  detect security vulnerabilities.}
+}
+
+@Proceedings{	  shafazand.ea:eurasia-ict:2002,
+  editor	= {Hassan Shafazand and A. Min Tjoa},
+  title		= {EurAsia-ICT 2002: Information and Communication
+		  Technology, First EurAsian Conference, Shiraz, Iran,
+		  October 29-31, 2002, Proceedings},
+  booktitle	= {EurAsia-ICT},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 2510,
+  year		= 2002,
+  isbn		= {3-540-00028-3}
+}
+
+@Article{	  sutter:free:2005,
+  author	= {Herb Sutter},
+  journal	= {Dr. Dobb{\^a}s Journal},
+  number	= 3,
+  pages		= {202--210},
+  title		= {The Free Lunch Is Over: A Fundamental Turn Toward
+		  Concurrency in Software},
+  url		= {http://www.gotw.ca/publications/concurrency-ddj.htm},
+  volume	= 30,
+  year		= 2005
+}
+
+
+@InProceedings{	  lachner.ea:information:2008,
+  author	= {Janine Lachner and Hermann Hellwagner},
+  title		= {Information and Communication Systems for Mobile Emergency
+		  Response},
+  year		= 2008,
+  pages		= {213--224},
+  doi		= {10.1007/978-3-540-78942-0_22},
+  crossref	= {kaschek.ea:information:2008},
+  abstract	= {This discussion paper attempts to propose emergency
+		  response and disaster management as worthwhile areas of
+		  applied research for the information system community. The
+		  typical requirements, entities and activities involved in
+		  specifically mobile emergency response operations are
+		  summarized. Recent research contributions in this area are
+		  exemplarily reviewed in order to give a deeper insight into
+		  the role and use of mobile information and communication
+		  systems. Finally, the major challenges and research needs
+		  regarding information systems are summarized, with a view
+		  to draw the attention of information systems researchers to
+		  this interesting and important field.}
+}
+
+@Proceedings{	  kaschek.ea:information:2008,
+  editor	= {Roland Kaschek and Christian Kop and Claudia Steinberger
+		  and G{\"u}nther Fliedl},
+  title		= {Information Systems and e-Business Technologies, 2nd
+		  International United Information Systems Conference,
+		  UNISCON 2008, Klagenfurt, Austria, April 22-25, 2008,
+		  Proceedings},
+  booktitle	= {Information Systems and e-Business Technologies (UNISCON)},
+  series	= s-lnbip,
+  volume	= 5,
+  year		= 2008,
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  isbn		= {978-3-540-78941-3},
+}
+@InProceedings{	  johnson:complexity:2008,
+  author	= {Chris W. Johnson},
+  title		= {Complexity, Structured Chaos and the Importance of
+		  Information Management for Mobile Computing in the {UK}
+		  Floods of 2007},
+  booktitle	= {Mobile Response},
+  year		= 2008,
+  pages		= {1--11},
+  doi		= {10.1007/978-3-642-00440-7_1},
+  crossref	= {loffler.ea:mobile:2009},
+  abstract	= {Many research teams have developed mobile computing
+		  architectures to support the emergency and rescue services
+		  in a range of civil contingencies. These proposals are
+		  based on innovative technologies and show considerable
+		  creativity in the design of their user interfaces. In
+		  contrast, this paper presents lessons learned from the 2007
+		  UK floods. Mobile telecommunications failed in many
+		  different ways and from many different causes, including
+		  physical damage to handsets, as well as the loss of base
+		  stations and UPSs. The insights gained from the floods are
+		  being used to inform the design of next generation mobile
+		  digital communications systems for UK responders. However,
+		  the technical problems are arguably less important than the
+		  insights that were obtained about {\^a}systemic{\^a}
+		  failures in the interfaces between local government,
+		  emergency services and the variety of agencies that must
+		  cooperate in major civil contingencies. Problems in
+		  information management led to inconsistencies and
+		  incompatibilities. In consequence, the output from one
+		  application could not easily be used as input to systems
+		  operated by other agencies. These issues must be addressed
+		  before we are overwhelmed by the increased bandwidth
+		  afforded by new mobile devices and novel sensing
+		  technologies. It is concluded that unless we understand the
+		  chaos, complexity and the contextual issues that
+		  characterise previous emergency situations then there is
+		  little prospect that we will be able to design effective
+		  mobile technologies for future incidents.}
+}
+
+@Proceedings{	  loffler.ea:mobile:2009,
+  editor	= {Jobst L{\"o}ffler and Markus Klann},
+  location	= {Mobile Response, Second International Workshop on Mobile
+		  Information Technology for Emergency Response,
+		  MobileResponse 2008. Bonn, Germany, May 29-30, 2008,
+		  Revised Selected Papers},
+  title	        = {Mobile Information Technology for Emergency Response,
+		  (MobileResponse)},
+  booktitle	= {Mobile Information Technology for Emergency Response,
+		  (MobileResponse)},
+  publisher	= pub-springer,
+  address	= pub-springer:adr,
+  series	= s-lncs,
+  volume	= 5424,
+  year		= 2009,
+  isbn		= {978-3-642-00439-1},
+  doi		= {10.1007/978-3-642-00440-7}
+}
+
+@article{BrookesHR84,
+  author    = {S. D. Brookes and
+               C. A. R. Hoare and
+               A. W. Roscoe},
+  title     = {A Theory of Communicating Sequential Processes},
+  journal   = {J. {ACM}},
+  volume    = {31},
+  number    = {3},
+  pages     = {560--599},
+  year      = {1984}
+}
+
+@book{Hoare:1985:CSP:3921,
+ author = {Hoare, C. A. R.},
+ title = {Communicating Sequential Processes},
+ year = {1985},
+ isbn = {0-13-153271-5},
+ publisher = {Prentice-Hall, Inc.},
+ address = {Upper Saddle River, NJ, USA}
+} 
+
+@InProceedings{brookes-roscoe85,
+author="Brookes, S. D. and Roscoe, A. W.",
+editor="Brookes, Stephen D. and Roscoe, Andrew William and Winskel, Glynn",
+title="An improved failures model for communicating sequential processes",
+booktitle="Seminar on Concurrency",
+year="1985",
+publisher="Springer",
+address="Berlin, Heidelberg",
+pages="281--305",
+abstract="We extend the failures model of communicating processes to allow a more satisfactory 
+          treatment of divergence in addition to deadlock. The relationship between the revised 
+          model and the old model is discussed, and we make some connections with various models 
+          proposed by other authors.",
+isbn="978-3-540-39593-5"
+}
+
+@techreport{KriegBrueckner95,
+   author = {Krieg-Br\"uckner, B. and Peleska, J. and Olderog,  E.-R. and Balzer, D. and Baer, A.},
+   title = "Uniform Workbench --- Universelle Entwicklungsumgebung für formale Methoden",
+   institution = "Technischer Bericht 8/95",
+   year=1995,
+   address="Univ. Bremen",
+   note="\url{http://www.informatik.uni-bremen.de/~uniform}"
+}               
+
+@book{donovan2015go,
+  title={The Go Programming Language},
+  author={Donovan, A.A.A. and Kernighan, B.W.},
+  isbn={9780134190563},
+  series={Addison-Wesley Professional Computing Series},
+  year={2015},
+  publisher={Pearson Education}
+}
+
+@ARTICLE{Barret95, 
+author={G. {Barrett}}, 
+journal={IEEE Transactions on Software Engineering}, 
+title={Model checking in practice: the T9000 virtual channel processor}, 
+year={1995}, 
+volume={21}, 
+number={2}, 
+pages={69-78}, 
+keywords={transputers;circuit CAD;formal specification;circuit analysis computing;model checking;T9000 virtual channel processor;formal method;industrial products;visual specification styles;case study;nonstandard CSP operators;visual specification style;INMOS CAD system;Design engineering;Design methodology;Hardware;Testing;Product design;Refining;Design automation;Manufacturing processes;Geometry;Process design}, 
+doi={10.1109/32.345823}, 
+ISSN={2326-3881}, 
+month={Feb}}
+
+@article{Camilleri90,
+  author    = {Albert John Camilleri},
+  title     = {Mechanizing {CSP} Trace Theory in Higher Order Logic},
+  journal   = {{IEEE} Trans. Software Eng.},
+  volume    = {16},
+  number    = {9},
+  pages     = {993--1004},
+  year      = {1990}
+}
+
+@InProceedings{Camilleri91,
+author="Camilleri, Albert J.",
+editor="Birtwistle, Graham",
+title="A Higher Order Logic Mechanization of the CSP Failure-Divergence Semantics",
+booktitle="IV Higher Order Workshop, Banff 1990",
+year="1991",
+publisher="Springer",
+address="London",
+pages="123--150",
+abstract="Reasoning using process algebras often involves doing complex proofs, and computer-based support to facilitate the task is therefore desirable. In this paper we show how a general-purpose theorem prover based on higher order logic provides a natural framework for mechanizing the process algebra CSP. This is done by defining the semantics of the CSP operators in the logic and proving the high-level algebraic laws from the definitions as theorems. We mechanize a variation on the failure-divergence semantics that does not use alphabets at the syntactic level, but embeds them in the semantics. Our approach abstracts further from the explicit use of alphabets by modelling them as type variables. The result is a mechanized theory for a polymorphic formalization of CSP.",
+isbn="978-1-4471-3182-3"
+}
+
+@book{books/daglib/0032976,
+  added-at = {2014-03-12T00:00:00.000+0100},
+  author = {Euzenat, Jérôme and Shvaiko, Pavel},
+  biburl = {https://www.bibsonomy.org/bibtex/28d5372a81f181d9d5a761ca12209cf39/dblp},
+  interhash = {fc55a5b84d114e38db0a0303cc1bd7da},
+  intrahash = {8d5372a81f181d9d5a761ca12209cf39},
+  isbn = {978-3-642-38720-3},
+  keywords = {dblp},
+  pages = {I-XVII, 1-511},
+  publisher = {Springer},
+  timestamp = {2015-06-18T09:49:52.000+0200},
+  title = {Ontology Matching, Second Edition.},
+  year = 2013
+}
+
+
+
+@misc{AFP-ref22,
+  title        = "{A}rchive of {F}ormal {P}roofs",
+  author       = "{M.Eberl and G. Klein and A. Lochbihler and 
+                   T. Nipkow and L. Paulson and R. Thiemann (eds)}",
+  howpublished = "\url{https://afp-isa.org}",
+  year         = 2022,
+  note         = "Accessed: 2018-12-06"
+}
+
+
+@article{HOL-CSP-AFP,
+  author  = {Safouan Taha and Lina Ye and Burkhart Wolff},
+  title   = {{HOL-CSP Version 2.0}},
+  journal = {Archive of Formal Proofs},
+  month   = apr,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/HOL-CSP.html}},
+  ISSN    = {2150-914x},
+}
+
+
+@InProceedings{FDRTutorial2000,
+author="Broadfoot, Philippa
+and Roscoe, Bill",
+editor="Havelund, Klaus
+and Penix, John
+and Visser, Willem",
+title="Tutorial on FDR and Its Applications",
+booktitle="SPIN Model Checking and Software Verification",
+year="2000",
+publisher="Springer Berlin Heidelberg",
+address="Berlin, Heidelberg",
+pages="322--322",
+abstract="FDR [1] is a refinement checker for the process algebra CSP [2,4], based on that language's well-established semantic models. FDR stands for Failures-Divergences Refinement, after the premier model. In common with many other model checkers, it works by ``determinising'' (or normalising) a specification and enumerating states in the cartesian product of this and the implementation. Unlike most, the specification and implementation are written in the same language. Under development by its creators, Formal Systems (a spin-off of the Computing Laboratory) since 1991, it now offers a range of state compression methods. On current workstations it can work at up to 20M states/hour with only a small degradation on moving to disc-based storage.",
+isbn="978-3-540-45297-3"
+}
+
+@article{Roscoe1992AnAO,
+  title={An Alternative Order for the Failures Model},
+  author={A. W. Roscoe},
+  journal={J. Log. Comput.},
+  year={1992},
+  volume={2},
+  pages={557-577}
+}
+
+@book{Roscoe:UCS:2010,
+    author = {Roscoe, A.W.},
+    title = {Understanding Concurrent Systems},
+    year = {2010},
+    isbn = {184882257X, 9781848822573},
+    edition = {1st},
+    publisher = {Springer-Verlag},
+    address = {Berlin, Heidelberg},
+} 
+
+@inproceedings{SunLDP09,
+  author    = {Jun Sun and Yang Liu and Jin Song Dong and Jun Pang},
+  title     = {PAT: Towards Flexible Verification under Fairness},
+  journal   = {Proceedings of the 21th International Conference on Computer Aided Verification (CAV'09)},
+  year      = {2009},
+   publisher = {Springer},
+  pages     = {709-714},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {5643},
+}
+
+@inproceedings{journals/corr/abs-1202-4835,
+  author    = {Makarius Wenzel and
+               Burkhart Wolff},
+  title     = {Isabelle/PIDE as Platform for Educational Tools},
+  booktitle = {Proceedings First Workshop on {CTP} Components for Educational Software,
+               THedu'11, Wroclaw, Poland, 31th July 2011.},
+  pages     = {143--153},
+  year      = {2011},
+}
+
+@inproceedings{Paulson:porting:17,
+  author    = {Lawrence C. Paulson},
+  title     = {Porting the {HOL} light analysis library: some lessons (invited talk)},
+  booktitle = {Proceedings of the 6th {ACM} {SIGPLAN} Conference on Certified Programs
+               and Proofs, {CPP} 2017, Paris, France, January 16-17, 2017},
+  pages     = {1},
+  year      = {2017},
+ }
+
+@inproceedings{gauthier.ea:logic:2015,
+  author    = {Thibault Gauthier and
+               Cezary Kaliszyk},
+  title     = {Sharing {HOL4} and {HOL} Light Proof Knowledge},
+  booktitle = {Logic for Programming, Artificial Intelligence, and Reasoning - 20th
+               International Conference, {LPAR-20} 2015, Suva, Fiji, November 24-28,
+               2015, Proceedings},
+  pages     = {372--386},
+  year      = {2015},
+}
+
+@misc{fdr4,
+  title = {{FDR4 - The CSP Refinement Checker}},
+  howpublished = {\url{https://www.cs.ox.ac.uk/projects/fdr/}},
+  year = {2019},
+  pages = {}
+}
+
+@InProceedings{scott:cpo:1972,
+author="Scott, Dana",
+editor="Lawvere, F. W.",
+title="Continuous lattices",
+booktitle="Toposes, Algebraic Geometry and Logic",
+year="1972",
+publisher="Springer",
+address="Berlin, Heidelberg",
+pages="97--136",
+abstract="Starting from the topological point of view a certain wide class of To-spaces is introduced having a very strong extension property for continuous functions with values in these spaces. It is then shown that all such spaces are complete lattices whose lattice structure determines the topology --- these are the continuous lattices --- and every such lattice has the extension property. With this foundation the lattices are studied in detail with respect to projections, subspaces, embeddings, and constructions such as products, sums, function spaces, and inverse limits. The main result of the paper is a proof that every topological space can be embedded in a continuous lattice which is homeomorphic (and isomorphic) to its own function space. The function algebra of such spaces provides mathematical models for the Church-Curry $\lambda$-calculus.",
+isbn="978-3-540-37609-5"
+}
+
+@article{AnZhangYou14,
+author = {An, Jing and Zhang, Lei and You, Chun},
+year = {2014},
+month = {04},
+pages = {1386-1392},
+title = {The Design and Implementation of Data Independence in the CSP Model of Security Protocol},
+volume = {915-916},
+journal = {Advanced Materials Research},
+doi = {10.4028/www.scientific.net/AMR.915-916.1386}
+}
+
+@InProceedings{ByMC,
+author="Konnov, Igor
+and Widder, Josef",
+editor="Margaria, Tiziana
+and Steffen, Bernhard",
+title="ByMC: Byzantine Model Checker",
+booktitle="Leveraging Applications of Formal Methods, Verification and Validation. Distributed Systems",
+year="2018",
+publisher="Springer International Publishing",
+address="Cham",
+pages="327--342",
+abstract="In recent work [10, 12], we have introduced a technique for automatic verification of threshold-guarded distributed algorithms that have the following features: (1) up to t of processes may crash or behave Byzantine; (2) the correct processes count messages and progress when they receive sufficiently many messages, e.g., at least {\$}{\$}t+1{\$}{\$}; (3) the number n of processes in the system is a parameter, as well as t; (4) and the parameters are restricted by a resilience condition, e.g., {\$}{\$}n > 3t{\$}{\$}.",
+isbn="978-3-030-03424-5"
+}
+
+@inproceedings{Cubicle,
+  author    = {Sylvain Conchon and
+               Amit Goel and
+               Sava Krstic and
+               Alain Mebsout and
+               Fatiha Za\"{\i}di},
+  title     = {Cubicle: A Parallel SMT-Based Model Checker for Parameterized
+               Systems - Tool Paper},
+  booktitle = {Computer Aided Verification - 24th International Conference},
+  year      = {2012},
+  pages     = {718-724},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-31424-7_55},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+@proceedings{DBLP:conf/cav/2012,
+  editor    = {P. Madhusudan and
+               Sanjit A. Seshia},
+  title     = {Computer Aided Verification - 24th International Conference,
+               CAV 2012, Berkeley, CA, USA, July 7-13, 2012 Proceedings},
+  booktitle = {CAV},
+  publisher = {Springer},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {7358},
+  year      = {2012},
+  isbn      = {978-3-642-31423-0},
+  ee        = {http://dx.doi.org/10.1007/978-3-642-31424-7},
+  bibsource = {DBLP, http://dblp.uni-trier.de}
+}
+
+@InProceedings{Kind2,
+author="Champion, Adrien
+and Mebsout, Alain
+and Sticksel, Christoph
+and Tinelli, Cesare",
+editor="Chaudhuri, Swarat
+and Farzan, Azadeh",
+title="The Kind 2 Model Checker",
+booktitle="Computer Aided Verification",
+year="2016",
+publisher="Springer International Publishing",
+address="Cham",
+pages="510--517",
+abstract="Kind 2 is an open-source, multi-engine, SMT-based model checker for safety properties of finite- and infinite-state synchronous reactive systems. It takes as input models written in an extension of the Lustre language that allows the specification of assume-guarantee-style contracts for system components. Kind 2 was implemented from scratch based on techniques used by its predecessor, the PKind model checker. This paper discusses a number of improvements over PKind in terms of invariant generation. It also introduces two main features: contract-based compositional reasoning and certificate generation.",
+isbn="978-3-319-41540-6"
+}
+
+@InProceedings{JKind,
+author="Gacek, Andrew
+and Backes, John
+and Whalen, Mike
+and Wagner, Lucas
+and Ghassabani, Elaheh",
+editor="Chockler, Hana
+and Weissenbacher, Georg",
+title="The JKind Model Checker",
+booktitle="Computer Aided Verification",
+year="2018",
+publisher="Springer International Publishing",
+address="Cham",
+pages="20--27",
+abstract="JKind is an open-source industrial model checker developed by Rockwell Collins and the University of Minnesota. JKind uses multiple parallel engines to prove or falsify safety properties of infinite state models. It is portable, easy to install, performance competitive with other state-of-the-art model checkers, and has features designed to improve the results presented to users: inductive validity cores for proofs and counterexample smoothing for test-case generation. It serves as the back-end for various industrial applications.",
+isbn="978-3-319-96142-2"
+}
+
+@inproceedings{AntoninoGR16,
+  author    = {Pedro Antonino and
+               Thomas Gibson{-}Robinson and
+               A. W. Roscoe},
+  title     = {Efficient Deadlock-Freedom Checking Using Local Analysis and {SAT} Solving},
+  booktitle = {Integrated Formal Methods 2016},
+  pages     = {345--360},
+  year      = {2016}
+}
+
+@inproceedings{BensalemGLNSY11,
+  author    = {Saddek Bensalem and
+               Andreas Griesmayer and
+               Axel Legay and
+               Thanh{-}Hung Nguyen and
+               Joseph Sifakis and
+               Rongjie Yan},
+  title     = {D-Finder 2: Towards Efficient Correctness of Incremental Design},
+  booktitle = {{NASA} Formal Methods - Third International Symposium, {NFM} 2011,
+               Pasadena, CA, USA, April 18-20, 2011. Proceedings},
+  pages     = {453--458},
+  year      = {2011} 
+}
+
+@article{BloemJKKRVW16,
+  author    = {Roderick Bloem and
+               Swen Jacobs and
+               Ayrat Khalimov and
+               Igor Konnov and
+               Sasha Rubin and
+               Helmut Veith and
+               Josef Widder},
+  title     = {Decidability in Parameterized Verification},
+  journal   = {{SIGACT} News},
+  volume    = {47},
+  number    = {2},
+  pages     = {53--64},
+  year      = {2016}
+}
+
+@article{Suzuki88,
+  author    = {Ichiro Suzuki},
+  title     = {Proving Properties of a Ring of Finite-State Machines},
+  journal   = {Inf. Process. Lett.},
+  volume    = {28},
+  number    = {4},
+  pages     = {213--214},
+  year      = {1988} 
+}
+
+@article{FinkelS01,
+  author    = {Alain Finkel and
+               Philippe Schnoebelen},
+  title     = {Well-structured transition systems everywhere!},
+  journal   = {Theor. Comput. Sci.},
+  volume    = {256},
+  number    = {1-2},
+  pages     = {63--92},
+  year      = {2001} 
+}
+
+@article{AntoninoGR19,
+  author    = {Pedro Antonino and
+               Thomas Gibson{-}Robinson and
+               A. W. Roscoe},
+  title     = {Efficient Verification of Concurrent Systems Using Synchronisation
+               Analysis and {SAT/SMT} Solving},
+  journal   = {{ACM} Trans. Softw. Eng. Methodol.},
+  volume    = {28},
+  number    = {3},
+  pages     = {18:1--18:43},
+  year      = {2019} 
+}
+
+
+@book{andrews2002introduction,
+  title={An Introduction to Mathematical Logic and Type Theory},
+  author={Andrews, P.B.},
+  isbn={9781402007637},
+  lccn={2002031656},
+  series={Applied Logic Series},
+  year={2002},
+  publisher={Springer Netherlands}
+}
+
+@InProceedings{10.1007/978-3-642-27705-4_20,
+author="Feliachi, Abderrahmane
+and Gaudel, Marie-Claude
+and Wolff, Burkhart",
+editor="Joshi, Rajeev
+and M{\"u}ller, Peter
+and Podelski, Andreas",
+title="Isabelle/Circus: A Process Specification and Verification Environment",
+booktitle="Verified Software: Theories, Tools, Experiments",
+year="2012",
+publisher="Springer Berlin Heidelberg",
+address="Berlin, Heidelberg",
+pages="243--260",
+abstract="The Circus specification language combines elements for complex data and behavior specifications, using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and He's unifying theories of programming (UTP).",
+isbn="978-3-642-27705-4"
+}
+
+﻿@InProceedings{10.1007/978-3-642-16690-7_9,
+author="Feliachi, Abderrahmane
+and Gaudel, Marie-Claude
+and Wolff, Burkhart",
+editor="Qin, Shengchao",
+title="Unifying Theories in Isabelle/HOL",
+booktitle="Unifying Theories of Programming",
+year="2010",
+publisher="Springer Berlin Heidelberg",
+address="Berlin, Heidelberg",
+pages="188--206",
+abstract="In this paper, we present various extensions of Isabelle/HOL by theories that are essential for several formal methods. First, we explain how we have developed an Isabelle/HOL theory for a part of the Unifying Theories of Programming (UTP). It contains the theories of alphabetized relations and designs. Then we explain how we have encoded first the theory of reactive processes and then the UTP theory for CSP. Our work takes advantage of the rich existing logical core of HOL.",
+isbn="978-3-642-16690-7"
+}
+
+@incollection{HOL-CSP-iFM2020,
+  keywords = {Process-Algebra, Concurrency, Computational Models, Parametric System Verification},
+  author = {Safouan Taha and Lina Ye and Burkhart Wolff},
+  booktitle = {Integrated Formal Methods (iFM)},
+  language = {USenglish},
+  publisher = {Springer-Verlag},
+  address = {Heidelberg},
+  series = {Lecture Notes in Computer Science},
+  number = {12546},
+  doi = {10.1007/978-3-030-63461-2_23},
+  editor = {Carlo A. Furia},
+  title = {{P}hilosophers may {D}ine - {D}efinitively!},
+  pdf = {https://www.lri.fr/~wolff/papers/conf/2020-iFM_CSP.pdf},
+  classification = {conference},
+  areas = {formal methods, software},
+  year = {2020},
+  public = {yes}
+}
+
+@inproceedings{DBLP:conf-ifm-BruckerW19,
+  author    = {Achim D. Brucker and
+               Burkhart Wolff},
+  editor    = {Wolfgang Ahrendt and
+               Silvia Lizeth Tapia Tarifa},
+  title     = {Using Ontologies in Formal Developments Targeting Certification},
+  booktitle = {Integrated Formal Methods - 15th International Conference, {IFM} 2019,
+               Bergen, Norway, December 2-6, 2019, Proceedings},
+  series    = {Lecture Notes in Computer Science},
+  volume    = {11918},
+  pages     = {65--82},
+  publisher = {Springer},
+  year      = {2019},
+  url       = {https://doi.org/10.1007/978-3-030-34968-4\_4},
+  doi       = {10.1007/978-3-030-34968-4\_4},
+  timestamp = {Tue, 26 Nov 2019 18:31:02 +0100},
+  bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
diff --git a/examples/scholarly_paper/2022-phd-poster/paper.thy b/examples/scholarly_paper/2022-phd-poster/paper.thy
new file mode 100644
index 0000000..758360d
--- /dev/null
+++ b/examples/scholarly_paper/2022-phd-poster/paper.thy
@@ -0,0 +1,1343 @@
+(*<*)
+theory "paper"
+  imports "Isabelle_DOF.scholarly_paper"
+begin
+
+open_monitor*[this::article]
+
+declare[[ strict_monitor_checking  = false]]
+declare[[ Definition_default_class = "definition"]]
+declare[[ Lemma_default_class      = "lemma"]]
+declare[[ Theorem_default_class    = "theorem"]]
+
+define_shortcut* hol      \<rightleftharpoons> \<open>HOL\<close>
+                 isabelle \<rightleftharpoons> \<open>Isabelle/HOL\<close>
+                 dof      \<rightleftharpoons> \<open>Isabelle/DOF\<close>
+                 LaTeX    \<rightleftharpoons> \<open>LaTeX\<close>
+                 html     \<rightleftharpoons> \<open>HTML\<close>
+                 csp      \<rightleftharpoons> \<open>CSP\<close>      \<comment>\<open>obsolete\<close>
+                 holcsp   \<rightleftharpoons> \<open>HOL-CSP\<close>  \<comment>\<open>obsolete\<close> 
+ 
+
+ML\<open>
+
+fun boxed_text_antiquotation name (* redefined in these more abstract terms *) =
+    DOF_lib.gen_text_antiquotation name DOF_lib.report_text 
+                           (fn ctxt => DOF_lib.string_2_text_antiquotation ctxt
+                                       #> DOF_lib.enclose_env false ctxt "isarbox")
+
+val neant = K(Latex.text("",\<^here>))
+
+fun boxed_theory_text_antiquotation name (* redefined in these more abstract terms *) =
+    DOF_lib.gen_text_antiquotation name DOF_lib.report_theory_text 
+                           (fn ctxt => DOF_lib.string_2_theory_text_antiquotation ctxt 
+                                        #> DOF_lib.enclose_env false ctxt "isarbox"
+                                        (* #> neant *)) (*debugging *)
+
+fun boxed_sml_text_antiquotation name  =
+    DOF_lib.gen_text_antiquotation name (K(K())) 
+                           (fn ctxt => Input.source_content 
+                                        #> Latex.text 
+                                        #> DOF_lib.enclose_env true ctxt "sml") 
+                           (* the simplest conversion possible *)
+
+fun boxed_pdf_antiquotation name =
+    DOF_lib.gen_text_antiquotation name (K(K())) 
+                           (fn ctxt => Input.source_content 
+                                        #> Latex.text 
+                                        #> DOF_lib.enclose_env true ctxt "out") 
+                           (* the simplest conversion possible *)
+
+fun boxed_latex_antiquotation name =
+    DOF_lib.gen_text_antiquotation name (K(K())) 
+                           (fn ctxt => Input.source_content 
+                                        #> Latex.text 
+                                        #> DOF_lib.enclose_env true ctxt "ltx") 
+                           (* the simplest conversion possible *)
+
+fun boxed_bash_antiquotation name =
+    DOF_lib.gen_text_antiquotation name (K(K())) 
+                           (fn ctxt => Input.source_content 
+                                        #> Latex.text 
+                                        #> DOF_lib.enclose_env true ctxt "bash") 
+                           (* the simplest conversion possible *)
+\<close>
+
+setup\<open>(* std_text_antiquotation        \<^binding>\<open>my_text\<close> #> *)
+      boxed_text_antiquotation         \<^binding>\<open>boxed_text\<close> #>
+      (* std_text_antiquotation        \<^binding>\<open>my_cartouche\<close> #> *)
+      boxed_text_antiquotation         \<^binding>\<open>boxed_cartouche\<close> #>
+      (* std_theory_text_antiquotation \<^binding>\<open>my_theory_text\<close>#> *)
+      boxed_theory_text_antiquotation  \<^binding>\<open>boxed_theory_text\<close> #>
+
+      boxed_sml_text_antiquotation     \<^binding>\<open>boxed_sml\<close> #>
+      boxed_pdf_antiquotation          \<^binding>\<open>boxed_pdf\<close> #>
+      boxed_latex_antiquotation        \<^binding>\<open>boxed_latex\<close>#>
+      boxed_bash_antiquotation         \<^binding>\<open>boxed_bash\<close> 
+     \<close>
+
+(*>*)
+
+title*[tit::title]\<open>A Framework for Proving Ontology-Relations and Runtime Testing Ontology Instances\<close>
+
+text*[idir::author,
+        email       ="\<open>idir.aitsadoune@centralesupelec.fr\<close>",
+        orcid       ="''0000-0002-6484-8276''",
+        affiliation ="\<open>Université Paris-Saclay, CentraleSupélec, LMF, France\<close>"]\<open>Idir Ait-Sadoune\<close>
+
+text*[nic::author,
+        email       ="\<open>nicolas.meric@universite-paris-saclay.fr\<close>",
+        orcid       ="''0000-0002-0756-7072''",
+        affiliation ="\<open>Université Paris-Saclay, LMF, France\<close>"]\<open>Nicolas Méric\<close>
+text*[bu::author,
+        email       ="\<open>burkhart.wolff@universite-paris-saclay.fr\<close>",
+        affiliation = "\<open>Université Paris-Saclay, LMF, France\<close>"]\<open>Burkhart Wolff\<close>
+           
+text*[abs::abstract, 
+      keywordlist="[\<open>Ontologies\<close>,\<open>Formal Documents\<close>,\<open>Formal Development\<close>,\<open>Isabelle/HOL\<close>,\<open>Ontology Mapping\<close>,\<open>Certification\<close>]"]
+\<open>  \<^dof> is an ontology framework on top of Isabelle 
+   @{cite "brucker.ea:isabelledof:2019" and "brucker.ea:isabelle-ontologies:2018"}. 
+   \<^dof>  allows for the formal development of ontologies as well as continuous checking that
+   a formal document under development conforms to an underlying ontology. Such a document may 
+   contain text and code elements as well as formal Isabelle definitions and proofs.
+   Thus, \<^dof> is designed to annotate and trace typed meta-data 
+   within formal developments in Isabelle.  
+
+   In this paper we extend  \<^dof> with \<^emph>\<open>invariants\<close> (or: ontological \<^emph>\<open>rules\<close>). Via a reflection 
+   mechanism, this allows for efficient run-time checking of abstract properties of formal
+   content under evolution. Additionally, invariants have a formal represention in HOL amenable to
+   formal proofs over mappings between different ontologies.  
+   With this feature widely called \<^emph>\<open>ontology mapping\<close> in the literature, our framework paves the 
+   way for advanced uses such as ``semantic'' search and translation. We demonstrate the use of 
+   these new features in an extended  ontology used for formal developments targeting CENELEC 
+   certifications.
+    \<^vs>\<open>-0.3cm\<close> \<close>
+(*
+section*[introheader::introduction] \<open> Introduction \<close>
+
+text*[introtext::introduction]\<open> \<^vs>\<open>-0.2cm\<close>
+The linking of \<^emph>\<open>formal\<close> and \<^emph>\<open>informal\<close> information is perhaps the most pervasive challenge 
+in the digitization of knowledge and its propagation. Unsurprisingly, this problem reappears 
+in the libraries with formalized mathematics and engineering such as the Isabelle Archive of 
+Formal Proofs @{cite "AFP-ref22"} (AFP), which passed the impressive numbers of 650 articles, 
+written by 420 authors at the beginning of 2022. Together with the AFP, there is also a growing 
+body on articles concerned with formal software engineering such as standardized language 
+definitions (e.g., @{cite "CakeML-AFP" and "brucker.ea:featherweight:2014"}), 
+data-structures 
+(e.g., @{cite "brucker.ea:afp-core-dom:2018" and "Splay_Tree-AFP"}), hardware- models 
+(e.g., @{cite "SPARCv8-AFP"}), 
+security-related specifications 
+(e.g., @{cite "brucker.ea:upf-firewall:2017" and "Security_Protocol_Refinement-AFP"}), 
+or operating systems (e. g., @{cite "verbeek.ea:formal:2014" and "klein.ea:comprehensive:2014"}).
+
+
+Still, while the problem of logical consistency
+even under system-changes and pervasive theory evolution is technically solved via continuous 
+proof-checking, the problem of knowledge retrieval and of linking semi-formal explanations to 
+definitions and proofs remains largely open.
+% The \<^emph>\<open>knowledge\<close> problem of the increasingly massive \<^emph>\<open>digital information\<close> available
+% incites numerous research efforts summarized under the labels ``semantic web'', 
+% ``integrated document management'', or any form of advanced ``semantic'' text processing. 
+% These technologies are increasingly important  in jurisprudence, medical research and 
+% life-sciences in order to tame their respective publication tsunamies. 
+The central role in technologies adressing the \<^emph>\<open>knowledge\<close> problem
+is played by \<^emph>\<open>document ontologies\<close>, \<^ie>, a machine-readable form
+of meta-data attached to document-elements as well as their document discourse. In order 
+to make these techniques applicable to \<^emph>\<open>formal theory development\<close>,
+the following is needed: \<^vs>\<open>0.2cm\<close>
+
+\<^item> a general mechanism to define and develop \<^emph>\<open>domain-specific\<close> ontologies,
+\<^item> ... that should be adapted to entities occurring in formal theories,
+  \<^ie>, provide built-in support for types, terms, theorems, proofs, etc.,
+\<^item> ways to annotate meta-data generated by ontologies to the document elements,
+  as ``deep'' as possible, together with strong validation checks,
+\<^item> a smooth integration into the theory document development process, and
+\<^item> ways to relate ontologies and ontology-conform documents along different
+  ontologies by \<^emph>\<open>ontological mappings\<close> and \<^emph>\<open>data translations\<close>
+  @{footnote \<open>We follow throughout this text the terminology established in 
+              @{cite "books/daglib/0032976"}, pp. 39 ff.\<close>}.
+\<close>
+
+text\<open>  \<^vs>\<open>-0.2cm\<close>
+Recently, \<^dof> @{cite "brucker.ea:isabelledof:2019" and "brucker.ea:isabelle-ontologies:2018"}
+\<^footnote>\<open>The official releases are available at \<^url>\<open>https://zenodo.org/record/6385695\<close>, the
+  developer version at \<^url>\<open>https://github.com/logicalhacking/Isabelle_DOF\<close>.\<close> 
+has been designed as an Isabelle component that attempts to answer these needs. 
+ \<^dof> generates from  ontology definitions directly integrated into Isabelle theories
+typed meta-data, that may be annotated to a number of document elements and that were 
+validated ``on-the-fly'' during the general continuous type and proof-checking process 
+in an IDE (Isabelle/PIDE). Thus, we extend the document-centric view on code, definitions, 
+proofs, text-elements, etc., prevailing in the Isabelle system framework.
+
+In more detail, \<^dof> introduces a number of ``ontology aware'' text-elements with analogous 
+syntax to standard ones. The difference is a bracket with meta-data of the form:
+@{theory_text [display,indent=10, margin=70] 
+\<open>text*[label::classid, attr\<^sub>1=E\<^sub>1, ... attr\<^sub>n=E\<^sub>n]\<open> some semi-formal text \<close>
+ML*[label::classid, attr\<^sub>1=E\<^sub>1, ... attr\<^sub>n=E\<^sub>n]\<open> some SML code \<close>
+...\<close>}
+In these \<^dof> elements, a meta-data object is created and associated to it. This 
+meta-data can be referenced via its label and used in further computations in text or code.
+%; the details will be explained in the subsequent section. 
+
+Admittedly, Isabelle is not the first system that comes into one's mind when writing a scientific 
+paper, a book, or a larger technical documentation. However, it has a typesetting system inside 
+which is in the tradition of document generation systems such as mkd, Document! X, Doxygen, 
+Javadoc, etc., and which embed formal content such as formula pretty-prints into semi-formal text 
+or code. The analogous mechanism the Isabelle system provides is a machine-checked macro 
+called \<^emph>\<open>antiquotation\<close> that depends on the logical context of the document element.
+
+With standard Isabelle antiquotations, for example, the following text element
+of the integrated source will appear  in Isabelle/PIDE as follows:
+@{theory_text [display,indent=10, margin=70] 
+\<open>text\<open> According to the reflexivity axiom @{thm refl}, we obtain in \<Gamma>
+       for @{term "fac 5"} the result @{value "fac 5"}.\<close>\<close>}
+In the corresponding generated \<^LaTeX> or HTML output, this looks like this:
+@{cartouche [display,indent=17, margin=70]
+  \<open>According to the reflexivity axiom \<open>x = x\<close>, we obtain in \<Gamma> 
+ for \<open>fac 5\<close> the result \<open>120\<close>.\<close>}
+where the meta-texts \<open>@{thm refl}\<close> (``give the presentation of theorem `refl'\,\!''), 
+\<open>@{term "fac 5"}\<close> (``parse and type-check `fac 5' in the previous logical context'')
+and \<open>@{value "fac 5"}\<close> (``compile and execute `fac 5' according to its
+definitions'') are built-in antiquotations in \<^hol>. 
+
+One distinguishing feature of \<^dof> is that specific antiquotations \<^emph>\<open>were generated from
+an ontology\<close> rather than being hard-coded into the Isabelle system infrastructure.
+\<close>
+
+(*
+text
+\<open>
+
+%too long !
+This leads to an evolution strategy we call "integrate the document, strengthen the
+links" (IDSL): integrate all sources into the Isabelle document model, and 
+replace \<^emph>\<open>text\<close> by appropriate \<^emph>\<open>meta-text\<close> wherever you can.
+Developers are rewarded for applying IDSL by specific IDE-support, 
+by additional semantic checks and thus by a more robust document consistency 
+which is easier to maintain under collaborative changes.
+%For example, if someone changes the theorem name, an error would result when processing
+%the text. On the other hand, \<open>@{value "fac 5"}\<close> would not guard against a change of definition 
+%of \<open>fac\<close>. If this is desirable, an antiquotation like \<open>@{assert "fac 5 = 120"}\<close> would be more appropriate.
+%too long !
+Antiquotations do not only occur in text-elements in Isabelle; they are also heavily used 
+in the code-elements of Isabelle's SML implementation, or were specifically supported in 
+C-program contexts in Isabelle/C @{cite "Tuong-IsabelleC:2019"}. 
+
+However, programming antiquotations on the intern Isabelle API's is nothing for the 
+faint-hearted. Recently, \<^dof> @{cite "brucker.ea:isabelledof:2019" and "brucker.ea:isabelle-ontologies:2018"} 
+has been designed as an Isabelle component that \<^emph>\<open>generates\<close> antiquotation languages
+from a more abstract description, namely an \<^emph>\<open>ontology\<close> that provides typed meta-data
+and typed reference mechanisms inside text- and ML-contexts. 
+
+*)
+
+text\<open>As novel contribution, this work extends prior versions of \<^dof> by 
+\<^enum> support of antiquotations in a new class of contexts, namely \<^emph>\<open>term contexts\<close> 
+  (rather than SML code or semi-formal text). Thus, annotations generated
+  from  \<^dof> may also occur in \<open>\<lambda>\<close>-terms used to denote meta-data. 
+\<^enum> formal, machine-checked invariants on meta-data, which correspond to the concept of 
+  ``rules'' in OWL~ @{cite "OWL2014"} or ``constraints'' in UML, and which can be specified in 
+  common \<^hol> \<open>\<lambda>\<close>-term syntax.
+\<close>
+text\<open> \<^noindent> For example, the \<^dof> command evaluating the \<^hol>-expression:
+@{theory_text [display,indent=10, margin=70]
+\<open>value*[ass::Assertion, relvce=4::int] 
+        \<open>filter (\<lambda> \<sigma>. relvce \<sigma> > 2) @{Assertion-instances}\<close>\<close>}
+where \<^dof> command \<open>value*\<close> type-checks, expands in an own validation phase
+the \<open>Assertion-instances\<close>-term antiquotation, and evaluates the resulting \<^hol> expression
+above. Assuming an ontology providing the class \<open>Assertion\<close> having at least the
+integer attribute \<open>relvce\<close>, the command finally creates an instance of \<open>Assertion\<close> and 
+binds this to label \<open>ass\<close>, while setting its \<open>relvce\<close> to 4.
+
+Beyond the gain of expressivity in \<^dof> ontologies, term-anti\-quotations pave the way 
+for advanced queries of elements inside an integrated source, and invariants 
+allow for formal proofs over the relations/translations of ontologies and ontology-instances.
+The latter question raised scientific interest under the label ``ontology mapping'' for 
+which we therefore present a formal solution. To sum up, we completed \<^dof> to
+a fairly rich ontology language oriented to interactive theorem proving (ITP) systems, 
+which is a concrete proposal for formal development projects targeting a certification, 
+for technical documentation, for books with a high amount of machine-checked formal content 
+or for mathematical libraries such as the AFP.\<close>
+
+(*<*)
+declare_reference*[casestudy::text_section]
+(*>*)
+
+section*[bgrnd::background,main_author="Some(@{docitem ''bu''}::author)"] \<open> Background\<close>
+(*
+subsection\<open>Isabelle/DOF Design and Implementation\<close>
+text\<open>
+  In this section, we provide a guided tour through the underlying technologies of this paper: 
+  \begin{inparaenum} 
+   \item Isabelle and Isabelle/HOL, 
+   \item \<^dof> and its Ontology Definition Language (ODL).
+  \end{inparaenum}
+\<close>
+subsection*[bgrnd_isabelle::text_section]\<open>Isabelle and HOL\<close>
+text\<open>
+  While still widely perceived as an interactive theorem proving environment, Isabelle 
+  @{cite "nipkow.ea:isabelle:2002"} has become a generic system framework providing 
+  an infrastructure for plug-ins. This comprises extensible 
+  state components, extensible syntax, code-generation, and advanced documentation support. 
+  The plugin Isabelle/HOL offers a modeling language similar to functional programming languages
+  extended by a logic and automated proof and animation techniques.
+\<close>
+*)
+subsection*[bgrnd_isadof::background]\<open>The \<^dof> Framework\<close>
+text\<open>
+  \<^dof>~@{cite "brucker.ea:isabelle-ontologies:2018" and 
+              "brucker.ea:isabelledof:2019"} 
+  is a document ontology framework that extends \<^isabelle>.
+  \<^dof> offers basically two things: a language called Ontology Definition Language (ODL)
+  to \<^emph>\<open>specify\<close> a formal ontology,
+  and ways to \<^emph>\<open>annotate\<close> an integrated document written in \<^isabelle> with the specified
+  meta-data. Additionally, \<^dof> generates from an ontology a family of 
+  \<^emph>\<open>anti\-quotations\<close> allowing to specify  machine-checked links between ODL entities. 
+%  Unlike UML, however, \<^dof> allows for integrated documents with informal and formal elements
+%  including the necessary management of logical contexts. 
+
+  The perhaps most attractive aspect of \<^dof> is its deep integration into the IDE of Isabelle 
+  (Isabelle/PIDE), which allows a hypertext-like navigation as well as fast user-feedback
+  during development and evolution of the integrated source. This includes rich editing support, 
+  including on-the-fly semantics checks, hinting, or auto-completion. 
+  \<^dof> supports \<^LaTeX>-based document generation as well as ontology-aware ``views'' on 
+  the integrated document, \<^ie>, specific versions of generated PDF addressing, \<^eg>,
+  different stake-holders. 
+
+\<close>
+
+(*<*)
+figure*[isadof_screenshot::figure, relative_width="100", src="''figures/cicm2018-combined''"]\<open>
+  The \<^dof> IDE (left) and the corresponding PDF(right).
+\<close>
+text*[description_scrrenshot::background]\<open>
+  @{docitem \<open>isadof_screenshot\<close>} shows \<^dof> in action: the left-hand side shows the IDE of 
+  \<^dof> in the context of a user session maintaining our case study 
+  (see @{docitem (unchecked) "casestudy"}) 
+  where a user is editing a semi-formal requirement. The right-hand side show the 
+  generated PDF document that can be used within a certification process. 
+\<close>
+(*>*)
+
+subsection*[bgrnd_ODL::background]\<open>A Guided Tour through ODL\<close>
+text\<open>
+  \<^dof> provides a strongly typed ODL that provides the usual 
+  concepts of ontologies such as
+  \<^item> \<^emph>\<open>document class\<close> (using the \<^theory_text>\<open>doc_class\<close> keyword) that describes a concept,
+  \<^item> \<^emph>\<open>attributes\<close> specific to document classes (attributes might be initialized with default 
+    values), and
+  \<^item> a special link, the reference to a super-class,
+    establishes an \<^emph>\<open>is-a\<close> relation between classes.
+%  classes may refer to other classes via a regular expression in an optional \<^emph>\<open>where\<close> clause 
+%    (a class with a where clause is called \<^emph>\<open>monitor\<close>).\<close>
+
+text\<open>\<^vs>\<open>-0.2cm\<close> The types of attributes are \<^hol>-types. Thus, ODL can refer to any predefined type 
+  from the \<^hol> library, \<^eg>, \<^type>\<open>string\<close>, \<^type>\<open>int\<close> as well as parameterized types, \<^eg>, 
+  \<^type>\<open>option\<close>,  \<^type>\<open>list\<close>. As a consequence of the Isabelle document model, ODL definitions 
+  may be arbitrarily mixed with standard \<^hol> type definitions. Document class definitions are 
+  \<^hol>-types, allowing for formal \<^emph>\<open>links\<close> to and between ontological concepts. For example, the 
+  basic concept of requirements from CENELEC 50128~@{cite "bsi:50128:2014"} is captured in ODL as 
+  follows:
+  @{theory_text [display,indent=10, margin=70]
+\<open>doc_class requirement = text_element +   (* \<comment> \<open>derived from text_element\<close> *)
+          long_name   ::"string option"   (* \<comment> \<open>an optional string attribute\<close> *)
+          is_concerned::"role set"        (* \<comment> \<open>roles working with this req.\<close> *) \<close>}
+  This ODL class definition maybe part of one or more Isabelle theory-files capturing the entire
+  ontology definition. Isabelle's session management allows for pre-compiling them before being 
+  imported in the actual target document. \<close>
+
+side_by_side_figure*["text-elements"::side_by_side_figure,anchor="''fig-Req-Def-ex''",
+                      caption="''A Text-Element as Requirement.''",relative_width="48",
+                      src="''figures/Req-Def-ex''",anchor2="''fig-Req-Appl-ex''",
+                      caption2="''Referencing a Requirement.''",relative_width2="48",
+                      src2="''figures/Req-Appl-ex''"]\<open>Referencing a Requirement. \<close>
+
+text\<open>@{figure "text-elements"} shows an ontological annotation of a requirement and its referencing
+  via an antiquotation \<^theory_text>\<open>@{requirement \<open>req1\<close>}\<close>; the latter is generated from the above 
+  class definition. Undefined or ill-typed references were rejected, the high-lighting displays 
+  the hyperlinking which is activated on a click. The class-definition of \<open>requirement\<close> and its 
+  documentation is also revisited via one activation click.\<close>
+(*
+
+text\<open>\<^dof>'s generated antiquotations are part of a general mechanism of  
+  Isabelle's standard antiquotations heavily used in various papers and technical reports.
+  For example, in the following informal text, the antiquotation \<^verbatim>\<open>thm refl\<close> refers  
+  to the reflexivity axiom from HOL: 
+@{theory_text [display,indent=10, margin=70]
+\<open>
+  text<Open>According to the reflexivity axiom <@>{thm refl}, we obtain in \<Gamma>
+         for <@>{term <Open>fac 5<Close>} the result <@>{value <Open>fac 5<Close>}.<Close>\<close>}
+  In the PDF output, this is represented as follows:
+  \begin{out}
+  According to the reflexivity axiom $x = x$, we obtain in \<open>\<Gamma>\<close> for $\operatorname{fac} 5$ the result $120$.
+  \end{out}
+  The antiquotation \inlineisar|<@>{value <Open>fac 5<Close>}| refers to a function that is defined in the 
+  preceding logical context (and parsed as inner syntax) to compute the value of $5!$, \ie, $120$. 
+  Summing up, antiquotations can refer to formal content, can be type-checked before being displayed 
+  and can be used for calculations before actually being typeset. All these features can be
+  used for the calculation of attribute values (as in @{docitem \<open>text-elements\<close>}, observe the value 
+  \<open>UNIV\<close> used to set the attribute \<open>is_concerned\<close> is a HOL-constant denoting the universal set).
+
+  Finally, for each ontological concept, a custom representation, using \<^LaTeX>-notation, for the 
+  generated PDF document can be defined. The latter includes, \<^eg>, the possibility to automatically 
+  generated glossaries or lists of concepts. 
+\<close>
+
+*)
+(*<*)
+type_synonym A = int 
+type_synonym B = int
+record T =
+  x :: A
+  y :: B
+
+term "\<lparr>x = a,y = b\<rparr>"
+(*>*)
+text\<open>\<^vs>\<open>-0.1cm\<close> \<^noindent> \<^isabelle> supports records at the level of terms and 
+types. The notation for terms and types is as follows: \<^vs>\<open>-0.2cm\<close>
+\<^item> record terms \<^term>\<open>\<lparr>x = a,y = b\<rparr>\<close> and corresponding record types \<open>\<lparr>x::A, y::B\<rparr>\<close>,
+\<^item> the resulting selectors are written \<^term>\<open>x(r::T)\<close>, \<^term>\<open>y(r::T)\<close>.\<close>
+
+text\<open> \<^noindent> In fact, \<^theory_text>\<open>onto_class\<close>es and the logically equivalent  \<^theory_text>\<open>doc_class\<close>es were
+represented by \<^emph>\<open>extensible\<close> record types and instances thereof by HOL terms 
+(see @{cite"brucker.ea:isabelledof:2019"} for details.).  
+Invariants of an \<^theory_text>\<open>onto_class\<close> are just predicates over extensible record
+types and were applied to subclasses. \<close>
+
+subsection\<open>Term-Evaluations in Isabelle\<close>
+text\<open>Besides the powerful, but relatively slow Isabelle rewriting-based proof method,
+ there are  two other techniques for term evaluation: \<^vs>\<open>-0.2cm\<close>
+\<^item> evaluation via reflection @{cite "HaftmannN10"} (\<^theory_text>\<open>eval\<close>), and
+\<^item> normalization by evaluation @{cite "AehligHN12"} (\<^theory_text>\<open>nbe\<close>).\<close>
+
+text\<open> \<^noindent>  The former is based on a nearly one-to-one compilation of HOL-level datatype specifications 
+and function definitions into SML datatypes and functions.
+The latter technique --- allowing for free variables in terms --- uses a generic data-universe
+enriched by explicit variables. Both techniques are several orders of magnitude faster 
+than standard rewriting. \<^dof> uses both to generate code that evaluates invariant and data-integrity 
+checks on-the-fly during editing. For all examples in our library, this form of runtime-testing
+ is sufficiently fast to remain unnoticed by the user.
+\<close>
+(*
+text\<open>
+The generated code is directly compiled by the underlying SML compiler of the 
+Isabelle platform. This way, pattern-matching becomes natively compiled rather
+than interpreted as in the matching process of \<^theory_text>\<open>simp\<close>. @{cite "AehligHN12"} 
+describes scenarios where \<^theory_text>\<open>eval\<close> is five orders of magnitude faster than \<^theory_text>\<open>simp\<close>.
+However, it is restricted to ground terms. 
+
+The latter is based on a compilation of datatype specifications into a uniform
+data-universe enriched by closures and explicit variables. Recursive function 
+definitions in \<^hol> were compiled to SML functions where the argument terms
+were represented in the data-universe. Pattern-matching is still compiled to
+native functions executed if closures are completed.  \<^theory_text>\<open>nbe\<close> is not restricted
+to ground terms, but lies in its efficiency between  \<^theory_text>\<open>simp\<close> and  \<^theory_text>\<open>eval\<close>.
+
+\<^dof> uses a combination of these three techniques in order to check invariants
+for ontological classes on the fly during editing, paving the way for both
+a uniform specification language of ontological data --- namely \<^hol> --- as
+well as the possibility to \<^emph>\<open>prove\<close> properties over and relations between
+classes.\<close>
+*)
+
+section*[invariants::technical,main_author="Some(@{docitem ''nic''}::author)"] 
+\<open>Term-Context Support, Invariants and Queries in DOF\<close>
+
+(*<*)
+(* Ontology example for mathematical papers *)
+
+doc_class myauthor =
+  email :: "string" <= "''''"
+
+value \<open>{2::int} = {1::int}\<close>
+text*[church::myauthor, email="\<open>church@lambda.org\<close>"]\<open>\<close>
+value*\<open>@{myauthor \<open>church\<close>}\<close>
+print_doc_items
+ML\<open>val t = @{docitem "church"}\<close>
+doc_class mytext_section =
+  authored_by :: "myauthor set" <= "{}"
+  level :: "int option" <= "None"
+doc_class myintro = mytext_section +
+  authored_by :: "myauthor set"  <= "UNIV" 
+  uses :: "string set"
+  (*invariant author_finite :: "authored_by \<sigma> = {@{myauthor \<open>church\<close>}}"*)
+  invariant author_finite :: "finite (authored_by \<sigma>)"
+  invariant force_level :: "the (level \<sigma>) > 1"
+term\<open>authored_by \<sigma> =
+     insert (myauthor.make
+             paper_myauthor_tag_attribute_Attribute_Not_Initialized
+             paper_myauthor_email_Attribute_Not_Initialized
+             \<lparr>myauthor.email := [], myauthor.email := ''church@lambda.org''\<rparr>) bot\<close>
+term \<open>\<lambda>\<sigma>. authored_by \<sigma> =
+      insert ( myauthor.make
+               paper_myauthor_tag_attribute_Attribute_Not_Initialized
+               paper_myauthor_email_Attribute_Not_Initialized
+               \<lparr>myauthor.email := [], myauthor.email := ''church@lambda.org''\<rparr>)
+             bot
+\<close>
+term \<open>myauthor.make
+               paper_myauthor_tag_attribute_Attribute_Not_Initialized
+               paper_myauthor_email_Attribute_Not_Initialized
+               \<lparr>myauthor.email := [], myauthor.email := ''church@lambda.org''\<rparr>
+             
+\<close>
+ML\<open>
+val ctxt = @{context}
+val thy = @{theory}
+val schemeN = "_scheme"
+val cid_long = "paper.myintro"
+fun update_attribute_type thy cid_long class_scheme_ty
+            (Const (s, Type (st,[ty, ty'])) $ t) =
+              let
+                val cid = Long_Name.qualifier s
+              in case DOF_core.get_doc_class_global cid thy of
+                     NONE => Const (s, Type(st,[ty, ty']))
+                             $ (update_attribute_type thy cid_long class_scheme_ty t)
+                   | SOME _ => if DOF_core.is_subclass_global thy cid_long cid then
+                                 Const(s, Type(st,[class_scheme_ty, ty']))
+                                 $ (update_attribute_type thy cid_long class_scheme_ty t)
+                               else 
+                                 Const (s, Type(st,[ty, ty']))
+                                 $ (update_attribute_type thy cid_long class_scheme_ty t)
+              end
+          | update_attribute_type thy cid_long class_scheme_ty (t $ t') =
+              (update_attribute_type thy cid_long class_scheme_ty t)
+              $ (update_attribute_type thy cid_long class_scheme_ty t')
+          | update_attribute_type thy cid_long class_scheme_ty (Abs(s, ty, t)) =
+              Abs(s, ty, update_attribute_type thy cid_long class_scheme_ty t)
+          | update_attribute_type _ cid_long class_scheme_ty (Free(s, ty)) = if s = invariantN 
+                                                                     then Free (s, class_scheme_ty)
+                                                                     else Free (s, ty)
+          | update_attribute_type _ cid_long _ t = t
+(*val (Const (s, Type (st,[ty, ty'])) $ t) = inv_term_test*)
+val inv_ty = Syntax.read_typ (Proof_Context.init_global thy)
+                                     (Name.aT ^ " " ^ cid_long ^ schemeN)
+val inv = "authored_by \<sigma> = {@{myauthor \<open>church\<close>}}"
+val pos = \<^here>
+val inv_term = Syntax.read_term (Proof_Context.init_global thy) inv
+val _ = writeln("inv_term: " ^ Syntax.string_of_term  (Proof_Context.init_global thy) inv_term)
+val inv_term_test = DOF_core.transduce_term_global {mk_elaboration=true} (inv_term, pos) thy
+val _ = writeln("inv_term_test: " ^ Syntax.string_of_term  (Proof_Context.init_global thy) inv_term_test)
+val inv_term' = update_attribute_type thy cid_long inv_ty inv_term_test
+val _ = writeln("inv_term': " ^ Syntax.string_of_term  (Proof_Context.init_global thy) inv_term')
+val abs_term = Term.lambda (Free (invariantN, inv_ty)) inv_term'
+val _ = writeln("abs_term: " ^ Syntax.string_of_term  (Proof_Context.init_global thy) abs_term)
+\<close>
+ML\<open>
+ 
+val thy = @{theory}
+val ctxt = @{context}
+val un = Syntax.read_term ctxt "12::int"
+val schemeN = "_scheme"
+val cid_long = "paper.myintro"
+val read_cond = Syntax.read_term ctxt
+         ("\<lambda>\<sigma>. authored_by \<sigma> ="
+          ^ "insert (myauthor.make"
+          ^ " paper_myauthor_tag_attribute_Attribute_Not_Initialized"
+          ^ " paper_myauthor_email_Attribute_Not_Initialized"
+          ^ " \<lparr>myauthor.email := [], myauthor.email := ''church@lambda.org''\<rparr>) bot")
+val read_cond = Syntax.read_term ctxt
+         ("\<lambda>\<sigma>. authored_by \<sigma> ="
+          ^ "insert (myauthor.make (1::int) ''church@lambda.org'')"
+          ^ " bot")
+val inv_ty = Syntax.read_typ (Proof_Context.init_global thy)
+                                     (Name.aT ^ " " ^ cid_long ^ schemeN)
+val eq_inv_ty = inv_ty --> HOLogic.boolT
+val f_sty = eq_inv_ty
+val lbl = "author_finite'"
+val cond_suffix = "_inv"
+val binding = Binding.make (lbl,\<^here>)
+fun meta_eq_const T = Const (\<^const_name>\<open>Pure.eq\<close>, T --> T --> propT);
+fun mk_meta_eq (t, u) = meta_eq_const (fastype_of t) $ t $ u;
+val bdg = Binding.suffix_name cond_suffix binding
+val eq =  mk_meta_eq(Free(Binding.name_of bdg, f_sty),read_cond)
+val _ = writeln(Syntax.string_of_term  (Proof_Context.init_global thy) eq)
+\<close>
+find_consts name:"authored_by"
+find_consts name:"author_finite"
+find_consts name:"*email*"
+find_consts name:"*level*"
+find_consts name:"force_level_inv"
+find_theorems name:"HOL.refl"
+print_theorems
+print_doc_items
+ML\<open>
+datatype ref = dattyperef;
+\<close>
+doc_class myclaim = myintro +
+  based_on :: "string list"
+doc_class mytechnical = mytext_section +
+  formal_results :: "thm list" 
+
+datatype kind = expert_opinion | argument | "proof"
+
+doc_class myresult = mytechnical +
+  evidence :: kind
+  property :: "thm list" <= "[]"
+  invariant has_property :: "evidence \<sigma> = proof \<longleftrightarrow> property \<sigma> \<noteq> []"
+doc_class myconclusion = mytext_section +
+  establish :: "(myclaim \<times> myresult) set"
+(*  invariant establish_defined :: "\<forall> x. x \<in> Domain (establish \<sigma>)
+                      \<longrightarrow> (\<exists> y \<in> Range (establish \<sigma>). (x, y) \<in> establish \<sigma>)"*)
+
+  invariant establish_defined2 :: "\<forall> x. x \<in> Domain (establish \<sigma>)
+                      \<longrightarrow> (\<exists> y \<in> Range (establish \<sigma>). (x, y) \<in> establish \<sigma>)"
+
+(*declare[[invariants_checking = true]]*)
+(*declare[[invariants_checking_with_tactics = true]]*)
+
+
+
+text*[proof1::myresult, evidence = "proof", property="[@{thm \<open>HOL.refl\<close>}]"]\<open>\<close>
+
+text*[proof2::myresult, evidence = "proof", property="[@{thm \<open>HOL.sym\<close>}]"]\<open>\<close>
+
+term*\<open>@{myauthor \<open>church\<close>}\<close>
+(*term*\<open>@{myauthor \<open>churche\<close>}\<close>*)
+
+value*\<open>email @{myauthor \<open>church\<close>}\<close>
+(*value*\<open>email @{myauthor \<open>churche\<close>}\<close>*)
+
+(*assert*\<open>@{myresult \<open>proof1\<close>} = @{myresult \<open>proof2\<close>}\<close>*)
+
+(*text*[intro1::myintro, authored_by = "{@{myauthor \<open>church\<close>}}", level = "Some 0"]\<open>\<close>*)
+
+(*text*[claimNotion::myclaim, authored_by = "{@{myauthor \<open>church\<close>}}", based_on= "[\<open>Notion1\<close>, \<open>Notion2\<close>]", level = "Some 0"]\<open>\<close>*)
+
+value*\<open>authored_by (myintro.make (1::int) {@{myauthor \<open>church\<close>}} (Some 2) {\<open>test1\<close>, \<open>test2\<close>}) = {@{myauthor \<open>church\<close>}}\<close>
+text*[intro2::myintro, authored_by = "{@{myauthor \<open>church\<close>}}", level = "Some 2"]\<open>\<close>
+
+value*\<open>authored_by @{myintro \<open>intro2\<close>} = {@{myauthor \<open>church\<close>}}\<close>
+declare[[invariants_checking = false]]
+declare[[invariants_checking_with_tactics = false]]
+(*>*)
+
+text\<open>
+  To offer a smooth integration into the \<^emph>\<open>formal\<close> theory development process,
+  \<^isabelle> should be able to dynamically interpret the source document.
+  But the specific antiquotations introduced by \<^dof> are not directly recognized
+  by \<^isabelle>, and the process of term checking and evaluation must be enriched.
+  Previous works~@{cite "brucker.ea:isabelle-ontologies:2018" and "brucker.ea:isabelledof:2019"}
+  added a validation step for the SML and semi-formal text contexts.
+  To support \<^dof> antiquotations in the term contexts, the validation step should
+  be improved and a new step, which we call \<^emph>\<open>elaboration\<close> must be added to allow
+  these antiquotations in \<open>\<lambda>\<close>-terms.
+  The resulting process encompasses the following steps:
+    \<^item> Parsing of the term which represents the object in \<^hol>,
+    \<^item> Typeinference/Typechecking of the term,
+    \<^item> Ontological validation of the term: the meta-data of term antiquotations is 
+      parsed and checked in the logical context,
+    \<^item> Elaboration of term antiquotations: depending of the antiquotation specific
+      elaboration function, the antiquotations containing references were replaced,
+      for example, by the object they refer to in the logical context,
+    \<^item> Generation of markup information for the Isabelle/PIDE, and
+    \<^item> Code generation:
+      \<^item> Evaluation of \<^hol> expressions with ontological annotations,
+      \<^item> Generation of ontological invariants processed simultaneously
+        with the generation of the document (a theory in \<^hol>).
+
+  \<^isabelle> provides inspection commands to type-check (the command \<^theory_text>\<open>term\<close>)
+  and to evaluate a term (the command \<^theory_text>\<open>value\<close>).
+  We provide the equivalent commands, respectively \<^theory_text>\<open>term*\<close> and \<^theory_text>\<open>value*\<close>, which 
+  additionally support a validation and elaboration phase.
+  A variant of  \<^theory_text>\<open>value*\<close> is  \<^theory_text>\<open>assert*\<close>, which additionally checks
+  that the term-evaluation results in \<^const>\<open>True\<close>.
+  Note that term antiquotations are admitted in all \<^dof> commands, not just
+  \<^theory_text>\<open>term*\<close>, \<^theory_text>\<open>value*\<close> etc. 
+\<close>
+
+(*<*)
+declare_reference*["type-checking-example"::side_by_side_figure]
+(*>*)
+
+text\<open>
+  If we take back the example ontology for mathematical papers
+  of~@{cite "brucker.ea:isabelledof:2019"} shown in \autoref{fig-ontology-example}
+\begin{figure}
+@{boxed_theory_text [display]
+\<open>datatype kind = expert_opinion | argument | "proof"
+
+doc_class myauthor =
+  email :: "string" <= "''''"
+doc_class mytext_section =
+  authored_by :: "myauthor set" <= "{}"
+  level :: "int option" <= "None"
+doc_class myintro = mytext_section +
+  authored_by :: "myauthor set"  <= "UNIV" 
+  uses :: "string set"
+  invariant author_finite :: "finite (authored_by \<sigma>)"
+  and force_level :: "the (level \<sigma>) > 1"
+doc_class myclaim = myintro +
+  based_on :: "string list"
+doc_class mytechnical = text_section +
+  formal_results :: "thm list" 
+doc_class myresult = mytechnical +
+  evidence :: kind
+  property :: "thm list" <= "[]"
+  invariant has_property :: "evidence \<sigma> = proof \<longleftrightarrow> property \<sigma> \<noteq> []"
+doc_class myconclusion = text_section +
+  establish :: "(myclaim \<times> myresult) set"
+  invariant establish_defined :: "\<forall> x. x \<in> Domain (establish \<sigma>)
+                      \<longrightarrow> (\<exists> y \<in> Range (establish \<sigma>). (x, y) \<in> establish \<sigma>)"\<close>}
+\caption{Excerpt of an Example Ontology for mathematical Papers.}
+\label{fig-ontology-example}
+\end{figure}
+  we can define some class instances for this ontology with the \<^theory_text>\<open>text*\<close> command,
+  as in \autoref{fig-instances-example}.
+\begin{figure}
+@{boxed_theory_text [display]
+\<open>text*[church::myauthor, email="\<open>church@lambda.org\<close>"]\<open>\<close>
+text*[proof1::myresult, evidence="proof", property="[@{thm \<open>HOL.refl\<close>}]"]\<open>\<close>
+text*[proof2::myresult, evidence="proof", property="[@{thm \<open>HOL.sym\<close>}]"]\<open>\<close>
+text*[intro1::myintro, authored_by="{@{myauthor \<open>church\<close>}}", level="Some 0"]\<open>\<close>
+text*[intro2::myintro, authored_by="{@{myauthor \<open>church\<close>}}", level="Some 2"]\<open>\<close>
+text*[claimNotion::myclaim, authored_by="{@{myauthor \<open>church\<close>}}"
+      , based_on="[\<open>Notion1\<close>,\<open>Notion2\<close>]", level="Some 0"]\<open>\<close>\<close>}
+\caption{Some Instances of the Classes of the Ontology of \autoref{fig-ontology-example}.}
+\label{fig-instances-example}
+\end{figure}
+  In the instance \<^theory_text>\<open>intro1\<close>, the term antiquotation  \<^theory_text>\<open>@{myauthor \<open>church\<close>}\<close>,
+  or its equivalent notation \<^term>\<open>@{myauthor \<open>church\<close>}\<close>, denotes
+  the instance \<^theory_text>\<open>church\<close> of the class \<^typ>\<open>myauthor\<close>,
+  where \<^theory_text>\<open>church\<close> is a \<^hol>-string.
+  One can now reference a class instance in a \<^theory_text>\<open>term*\<close> command.
+  In the command  \<^theory_text>\<open>term*\<open>@{myauthor \<open>church\<close>}\<close>\<close>
+  the term \<^term>\<open>@{myauthor \<open>church\<close>}\<close> is type-checked, \<^ie>, the command \<^theory_text>\<open>term*\<close> checks that
+  \<^theory_text>\<open>church\<close> references a term of type \<^typ>\<open>myauthor\<close> against the global context
+  (see \<^side_by_side_figure>\<open>type-checking-example\<close>).
+\<close>
+
+
+side_by_side_figure*[
+  "type-checking-example"::side_by_side_figure
+  , anchor="''fig-term-type-checking-ex''"
+  , caption="''Church is an existing Instance.''"
+  , relative_width="48"
+  , src="''figures/term-context-checking-example''"
+  , anchor2="''fig-term-type-checking-failed-ex''"
+  , caption2="''The Churche Instance is not defined.''"
+  , relative_width2="48"
+  , src2="''figures/term-context-failed-checking-example''"
+]\<open>Type-Checking of Antiquotations in a Term-Context.\<close>
+
+(*<*)
+declare_reference*["evaluation-example"::side_by_side_figure]
+(*>*)
+
+text\<open>
+  The command \<^theory_text>\<open>value*\<open>email @{author \<open>church\<close>}\<close>\<close>
+  validates \<^term>\<open>@{myauthor \<open>church\<close>}\<close>
+  and returns the attribute-value of \<^const>\<open>email\<close> for the \<^theory_text>\<open>church\<close> instance,
+  \<^ie> the \<^hol> string \<^term>\<open>''church@lambda.org''\<close>
+  (see \<^side_by_side_figure>\<open>evaluation-example\<close>).
+\<close>
+
+side_by_side_figure*[
+  "evaluation-example"::side_by_side_figure
+  , anchor="''fig-term-evaluation-ex''"
+  , caption="''The Evaluation succeeds.''"
+  , relative_width="48"
+  , src="''figures/term-context-evaluation-example''"
+  , anchor2="''fig-term-failed-evaluation-ex''"
+  , caption2="''The Evaluation fails.''"
+  , relative_width2="48"
+  , src2="''figures/term-context-failed-evaluation-example''"
+]\<open>Evaluation of Antiquotations in a Term-Context.\<close>
+
+(*
+figure*[
+  "term-context-checking-example-figure"::figure
+  , relative_width="99"
+  , src="''figures/term-context-checking-example''"
+]\<open>The invariant \<^theory_text>\<open>force_level\<close> of the class claim is inherited
+  from the class \<^theory_text>\<open>introduction\<close> and is violated by the instance \<^theory_text>\<open>claimNotion\<close>.
+\<close>
+
+figure*[
+  "term-context-evaluation-figure"::figure
+  , relative_width="99"
+  , src="''figures/term-context-evaluation-example''"
+]\<open>The invariant \<^theory_text>\<open>force_level\<close> of the class claim is inherited
+  from the class \<^theory_text>\<open>introduction\<close> and is violated by the instance \<^theory_text>\<open>claimNotion\<close>.
+\<close>
+*)
+
+(*<*)
+declare_reference*["term-context-equality-evaluation"::figure]
+(*>*)
+
+text\<open>
+  Since term antiquotations are logically uninterpreted constants,
+  it is possible to compare class instances logically. The assertion
+  in the \<^figure>\<open>term-context-equality-evaluation\<close> fails:
+  the class instances \<^theory_text>\<open>proof1\<close> and \<^theory_text>\<open>proof2\<close> are not equivalent
+  because their attribute \<^term>\<open>property\<close> differs.
+  When \<^theory_text>\<open>assert*\<close> evaluates the term,
+  the term antiquotations \<^term>\<open>@{thm \<open>HOL.refl\<close>}\<close> and \<^term>\<open>@{thm \<open>HOL.sym\<close>}\<close> are checked
+  against the global context such that the strings \<^term>\<open>\<open>HOL.refl\<close>\<close> and \<^term>\<open>\<open>HOL.sym\<close>\<close>
+  denote existing theorems.
+\<close>
+
+figure*[
+  "term-context-equality-evaluation"::figure
+  , relative_width="80"
+  , src="''figures/term-context-equality-evaluation-example''"
+]\<open>Evaluation of the Equivalence of two Class Instances.
+\<close>
+
+text\<open>
+  The mechanism of term annotations is also used for the new concept of 
+  invariant constraints which can be specified in common \<^hol> syntax.
+  They were introduced by the keyword \<^theory_text>\<open>invariant\<close>
+  in a class definition (recall \autoref{fig-ontology-example}).
+  Following the constraints proposed in @{cite "brucker.ea:isabelle-ontologies:2018"}, 
+  one can specify that any instance of a class \<^typ>\<open>myresult\<close>
+  finally has a non-empty property list, if its \<^typ>\<open>kind\<close> is \<^const>\<open>proof\<close>
+  (see the \<^theory_text>\<open>invariant has_property\<close>), or that 
+  the relation between \<^typ>\<open>myclaim\<close> and \<^typ>\<open>myresult\<close> expressed in the attribute \<^const>\<open>establish\<close>
+  must be defined when an instance
+  of the class \<^typ>\<open>myconclusion\<close> is defined (see the \<^theory_text>\<open>invariant establish_defined\<close>).
+
+  In \autoref{fig-ontology-example}, the \<^theory_text>\<open>invariant author_finite\<close> of the class \<^typ>\<open>myintro\<close> 
+  enforces that the user defines the \<^const>\<open>authored_by\<close> set with some valid meta-data of type \<open>myauthor\<close>.
+  The \<open>\<sigma>\<close> symbol is reserved and references the future class instance.
+  By relying on the implementation of the Records
+  in \<^isabelle>~@{cite "wenzel:isabelle-isar:2020"},
+  one can reference an attribute of an instance using its selector function.
+  For example, \<^term>\<open>establish \<sigma>\<close> denotes the value
+  of the attribute \<^const>\<open>establish\<close>
+  of the future instance of the class \<^typ>\<open>myconclusion\<close>.
+\<close>
+
+(*<*)
+declare_reference*["inherited-invariant-checking-figure"::figure]
+(*>*)
+
+text\<open>
+  The value of each attribute defined for the instances is checked at run-time
+  against their class invariants.
+  Classes also inherit the invariants from their super-class.
+  As the class \<^typ>\<open>myclaim\<close> is a subclass
+  of the class \<^typ>\<open>myintro\<close>, it inherits the \<^typ>\<open>myintro\<close> invariants.
+  In \<^figure>\<open>inherited-invariant-checking-figure\<close>,
+  we attempt to specify a new instance \<^theory_text>\<open>claimNotion\<close> of the class \<^typ>\<open>myclaim\<close>.
+  However, the invariant checking triggers an error because
+  the \<^theory_text>\<open>invariant force_level\<close> forces the value of the argument
+  of the attribute \<^const>\<open>level\<close> to be greater than 1,
+  and we initialize it to \<^term>\<open>Some (0::int)\<close> in \<^theory_text>\<open>claimNotion\<close>.
+\<close>
+
+figure*[
+  "inherited-invariant-checking-figure"::figure
+  , relative_width="99"
+  , src="''figures/inherited-invariant-checking-violated-example''"
+]\<open>Inherited Invariant Violation.\<close>
+
+(*<*)
+value*\<open>map (myresult.property) @{myresult-instances}\<close>
+value*\<open>map (mytext_section.authored_by) @{myintro-instances}\<close>
+
+value*\<open>filter (\<lambda>\<sigma>. myresult.evidence \<sigma> = proof) @{myresult-instances}\<close>
+value*\<open>filter (\<lambda>\<sigma>. the (mytext_section.level \<sigma>) > 1) @{myintro-instances}\<close>
+value*\<open>filter (\<lambda>\<sigma>. myresult.evidence \<sigma> = argument) @{myresult-instances}\<close>
+(*>*)
+
+text\<open>
+  Any class definition generates term antiquotations checking a class instance reference
+  in a particular logical context; these references were
+  elaborated to objects they refer to.
+  This paves the way for a new mechanism to query the ``current'' instances presented
+  as a \<^hol> \<^type>\<open>list\<close>.
+  Arbitrarily complex queries can therefore be defined inside the logical language.
+  Thus, to get the list of the properties of the instances of the class \<^typ>\<open>myresult\<close>,
+  or to get the list of the authors of the instances of the  \<^typ>\<open>myintro\<close> class,
+  it suffices to treat this meta-data as usual:
+  @{theory_text [display,indent=5, margin=70]
+\<open>value*\<open>map (myresult.property) @{myresult-instances}\<close>
+value*\<open>map (mytext_section.authored_by) @{myintro-instances}\<close>\<close>}
+  In order to get the list of the instances of the class \<^typ>\<open>myresult\<close>
+  whose \<^const>\<open>evidence\<close> is a \<^const>\<open>proof\<close>, one can use the command:
+  @{theory_text [display,indent=5, margin=70]
+\<open>value*\<open>filter (\<lambda>\<sigma>. myresult.evidence \<sigma> = proof) @{myresult-instances}\<close>\<close>}
+\<close>
+
+section*["morphisms"::technical,main_author="Some(@{docitem ''idir''}::author)"] \<open>Proving Morphisms on Ontologies\<close>
+
+(*<*)
+(* Mapped_PILIB_Ontology example *)
+term\<open>fold (+) S 0\<close>  
+
+definition sum 
+  where "sum S = (fold (+) S 0)"
+
+datatype Hardware_Type = 
+  Motherboard | 
+  Expansion_Card | 
+  Storage_Device | 
+  Fixed_Media | 
+  Removable_Media |
+  Input_Device |
+  Output_Device
+
+(* Reference Ontology *)
+onto_class Resource =
+  name :: string
+
+onto_class Electronic = Resource +
+  provider :: string
+  manufacturer :: string
+
+onto_class Component = Electronic +
+  mass :: int
+  dimensions :: "int list" 
+
+onto_class Informatic = Resource +
+  description :: string
+
+onto_class Hardware = Informatic +
+  type :: Hardware_Type
+  mass :: int
+  composed_of :: "Component list" 
+  invariant c1 :: "mass \<sigma> = sum(map Component.mass (composed_of \<sigma>))"
+
+(* Local Ontology *)
+onto_class Item =
+  name :: string
+
+onto_class Product = Item +
+  serial_number :: int
+  provider :: string
+  mass :: int
+
+onto_class Computer_Hardware = Product +
+  type :: Hardware_Type
+  composed_of :: "Product list" 
+  invariant c2 :: "Product.mass \<sigma> = sum(map Product.mass (composed_of \<sigma>))"
+
+
+definition Product_to_Component_morphism :: "Product \<Rightarrow> Component"
+           ("_ \<langle>Component\<rangle>\<^sub>P\<^sub>r\<^sub>o\<^sub>d\<^sub>u\<^sub>c\<^sub>t" [1000]999)
+  where "  \<sigma> \<langle>Component\<rangle>\<^sub>P\<^sub>r\<^sub>o\<^sub>d\<^sub>u\<^sub>c\<^sub>t = \<lparr> Resource.tag_attribute = 1::int ,
+                                 Resource.name = name \<sigma> ,
+                                 Electronic.provider  = provider \<sigma> ,
+                                 Electronic.manufacturer  = ''no manufacturer'' ,
+                                 Component.mass = mass \<sigma> ,
+                                 Component.dimensions = [] \<rparr>" 
+
+definition Computer_Hardware_to_Hardware_morphism :: "Computer_Hardware \<Rightarrow> Hardware"
+           ("_ \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e" [1000]999)
+           where "\<sigma> \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e =
+                  \<lparr>  Resource.tag_attribute = 2::int ,
+                     Resource.name = name \<sigma> ,
+                     Informatic.description = ''no description'', 
+                     Hardware.type = type \<sigma> ,
+                     Hardware.mass = mass \<sigma> ,
+                     Hardware.composed_of = map Product_to_Component_morphism 
+                                                (composed_of \<sigma>)
+                   \<rparr>" 
+
+lemma inv_c2_preserved :
+  "c2_inv \<sigma> \<Longrightarrow> c1_inv (\<sigma> \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e)"
+  unfolding c1_inv_def c2_inv_def 
+            Computer_Hardware_to_Hardware_morphism_def Product_to_Component_morphism_def  
+  by (auto simp: comp_def)
+
+lemma Computer_Hardware_to_Hardware_morphism_total :
+  "Computer_Hardware_to_Hardware_morphism ` ({X::Computer_Hardware. c2_inv X}) \<subseteq> ({X::Hardware. c1_inv X})"
+  using inv_c2_preserved 
+  by auto
+
+(*>*)
+
+text\<open>
+The \<^dof> framework does not assume that all documents refer to the same ontology. 
+Each document may even build its local ontology without any external reference. 
+It may also be based on several reference ontologies (\<^eg>, from the  \<^dof> library). 
+Since ontological instances possess \<^emph>\<open>representations inside the logic\<close>,
+the relationship between a local ontology and a reference ontology can be formalised
+using a morphism function also inside the logic. More precisely, the instances of local ontology 
+classes may be described as the image of a 
+transformation applied to one or several other instances of class(es) belonging to another 
+ontology. Thanks to the morphism relationship, the obtained class may either import meta-data 
+(definitions are preserved)  or map meta-data (the properties are different but 
+are semantically equivalent) that are defined in the referenced class(es). 
+It may also provide additional properties. This means that morphisms may be injective, 
+surjective, bijective, and thus describe abstract relations between ontologies.
+This raises the question of invariant preservation.
+\<close>
+text\<open>
+To illustrate this process, we have defined a simple ontology to classify Hardware objects.
+%This ontology is described in \autoref{fig-Local-Ontology-example
+
+%\begin{figure}[!h]
+@{boxed_theory_text [display]
+\<open>onto_class Item =
+  name :: string
+onto_class Product = Item +
+  serial_number :: int
+  provider :: string
+  mass :: int
+onto_class Computer_Hardware = Product +
+  type :: Hardware_Type
+  composed_of :: "Product list" 
+  invariant c2 :: "Product.mass \<sigma> = sum(map Product.mass (composed_of \<sigma>))"\<close>}
+%\caption{An extract of a local (user)  ontology.}
+%\label{fig-Local-Ontology-example}
+%\end{figure}
+%} 
+
+This ontology defines the \<^typ>\<open>Item\<close>, \<^typ>\<open>Product\<close> and \<^typ>\<open>Computer_Hardware\<close> concepts (or classes).  
+Each class contains a set of attributes or properties and some local invariants.
+In this example, we focus on the \<^typ>\<open>Computer_Hardware\<close> 
+class defined as a list of products characterised by their mass value.
+This class contains a local \<^theory_text>\<open>invariant c2\<close> to guarantee that its own mass value
+equals the sum of all the masses of the products composing the object.
+For the sake of the argument, we use the reference ontology (considered as a standard)
+described in this listing:
+%\begin{figure}
+@{boxed_theory_text [display]
+\<open>definition sum where "sum S = (fold (+) S 0)"
+
+datatype Hardware_Type = Motherboard | Expansion_Card | Storage_Device ...
+
+onto_class Resource =
+  name :: string
+onto_class Electronic = Resource +
+  provider :: string
+  manufacturer :: string
+onto_class Component = Electronic +
+  mass :: int
+  dimensions :: "int list" 
+onto_class Informatic = Resource +
+  description :: string
+onto_class Hardware = Informatic +
+  type :: Hardware_Type
+  mass :: int
+  composed_of :: "Component list" 
+  invariant c1 :: "mass \<sigma> = sum(map Component.mass (composed_of \<sigma>))"\<close>}
+%\caption{An extract of a reference ontology.}
+%\label{fig-Reference-Ontology-example}
+%\end{figure}
+
+This ontology defines  the \<^typ>\<open>Resource\<close>,
+\<^typ>\<open>Electronic\<close>, \<^typ>\<open>Component\<close>, \<^typ>\<open>Informatic\<close> and \<^typ>\<open>Hardware\<close> concepts.
+In our example, we focus on the \<^typ>\<open>Hardware\<close> class containing a \<^const>\<open>Component.mass\<close> attribute
+inherited from the \<^typ>\<open>Component\<close> class
+and composed of a list of components with a \<^const>\<open>Component.mass\<close> attribute formalising
+the mass value of each component.
+The \<^typ>\<open>Hardware\<close> class also contains a local \<^theory_text>\<open>invariant c1\<close>
+to define a constraint linking the global mass of a \<^typ>\<open>Hardware\<close> object
+with the masses of its own components.  
+
+\<close>
+
+text\<open>
+To check the coherence of our local ontology, we define a relationship between the local ontology 
+and the reference ontology using morphism functions (or mapping rules as in ATL framework~@{cite "atl"}
+or EXPRESS-X language~@{cite "BGPP95"}). These rules are applied to define the relationship 
+between one class of the local ontology to one or several other class(es) described in the reference 
+ontology. In our case, we have define two morphisms, \<^const>\<open>Product_to_Component_morphism\<close>
+and \<^const>\<open>Computer_Hardware_to_Hardware_morphism\<close>, detailed in the following listing: 
+
+%\begin{figure}
+@{boxed_theory_text [display]
+\<open>definition Product_to_Component_morphism :: 
+            "Product \<Rightarrow> Component" ("_ \<langle>Component\<rangle>\<^sub>P\<^sub>r\<^sub>o\<^sub>d\<^sub>u\<^sub>c\<^sub>t" [1000]999)
+  where "  \<sigma> \<langle>Component\<rangle>\<^sub>P\<^sub>r\<^sub>o\<^sub>d\<^sub>u\<^sub>c\<^sub>t = \<lparr> Resource.tag_attribute = 1::int ,
+                                 Resource.name = name \<sigma> ,
+                                 Electronic.provider  = provider \<sigma> ,
+                                 Electronic.manufacturer  = ''no manufacturer'' ,
+                                 Component.mass = mass \<sigma> ,
+                                 Component.dimensions = [] \<rparr>"\<close>} 
+
+@{boxed_theory_text [display]
+\<open>definition Computer_Hardware_to_Hardware_morphism ::
+            "Computer_Hardware \<Rightarrow> Hardware"
+           ("_ \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e" [1000]999)
+           where "\<sigma> \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e =
+                  \<lparr>  Resource.tag_attribute = 2::int ,
+                     Resource.name = name \<sigma> ,
+                     Informatic.description = ''no description'', 
+                     Hardware.type = type \<sigma> ,
+                     Hardware.mass = mass \<sigma> ,
+                     Hardware.composed_of = map Product_to_Component_morphism 
+                                                (composed_of \<sigma>) \<rparr>"\<close>}
+%\caption{An extract of a mapping definition.}
+%\label{fig-mapping-example}
+%\end{figure}
+
+
+These definitions specify how \<^typ>\<open>Product\<close> or \<^typ>\<open>Computer_Hardware\<close> objects are mapped to \<^typ>\<open>Component\<close> 
+or \<^typ>\<open>Hardware\<close> objects defined in the reference ontology.
+This mapping shows that the structure of a (user) ontology may be arbitrarily different
+from the one of a standard ontology it references. 
+\<close>
+
+text\<open>
+After defining the mapping rules, now we have to deal with the question of invariant preservation. 
+The following example proofs for a simple but typical example of reformatting meta-data into another 
+format along an ontological mapping are nearly trivial:
+
+%\begin{figure}
+@{boxed_theory_text [display]
+\<open>lemma inv_c2_preserved :
+  "c2_inv \<sigma> \<Longrightarrow> c1_inv (\<sigma> \<langle>Hardware\<rangle>\<^sub>C\<^sub>o\<^sub>m\<^sub>p\<^sub>u\<^sub>t\<^sub>e\<^sub>r\<^sub>H\<^sub>a\<^sub>r\<^sub>d\<^sub>w\<^sub>a\<^sub>r\<^sub>e)"
+  unfolding c1_inv_def c2_inv_def 
+            Computer_Hardware_to_Hardware_morphism_def
+            Product_to_Component_morphism_def  
+  by (auto simp: comp_def)
+
+lemma Computer_Hardware_to_Hardware_total :
+         "Computer_Hardware_to_Hardware_morphism ` ({X. c2_inv X}) 
+      \<subseteq> ({X::Hardware. c1_inv X})"
+  using inv_c2_preserved by auto\<close>}
+%\caption{Proofs establishing an Invariant Preservation.}
+%\label{fig-xxx}
+%\end{figure}
+
+After unfolding
+the invariant and the morphism definitions, the preservation proof is automatic. The advantage 
+of using the \<^dof> framework compared to approaches like ATL or EXPRESS-X is 
+the possibility of formally verifying the \<^emph>\<open>mapping rules\<close>, \<^ie>,  proving the preservation 
+of invariants, as we have demonstrated in the previous example.
+\<close>
+
+(*<*)
+text\<open>Ontology example extracted from
+\<^file>\<open>$ISABELLE_DOF_HOME/src/ontologies/CENELEC_50128/CENELEC_50128.thy\<close> and adapted\<close>
+
+datatype role =  PM     \<comment> \<open>Program Manager\<close>
+              |  RQM    \<comment> \<open>Requirements Manager\<close> 
+              |  DES    \<comment> \<open>Designer\<close>
+              |  IMP    \<comment> \<open>Implementer\<close> 
+              |  ASR    \<comment> \<open>Assessor\<close> 
+              |  INT    \<comment> \<open>Integrator\<close> 
+              |  TST    \<comment> \<open>Tester\<close>
+              |  VER    \<comment> \<open>Verifier\<close>
+              |  VnV    \<comment> \<open>Verification and Validation\<close>
+              |  VAL    \<comment> \<open>Validator\<close>
+
+datatype phase = SYSDEV_ext \<comment> \<open> System Development Phase (external)\<close>  
+               | SPl   \<comment> \<open>Software Planning\<close>
+               | SR    \<comment> \<open>Software Requirement\<close> 
+               | SA    \<comment> \<open>Software Architecture\<close>
+               | SDES  \<comment> \<open>Software Design\<close>
+               | SCDES \<comment> \<open>Software Component Design\<close> 
+               | CInT  \<comment> \<open>Component Implementation and Testing\<close>
+               | SI    \<comment> \<open>Software Integration\<close>
+               | SV    \<comment> \<open>Software Validation\<close>
+               | SD    \<comment> \<open>Software Deployment\<close>
+               | SM    \<comment> \<open>Software Maintenance\<close>
+
+doc_class cenelec_document = text_element +
+   phase         :: phase
+   written_by   :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   fst_check     :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   snd_check    :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   invariant must_be_chapter :: "text_element.level \<sigma> = Some(0)"
+   invariant two_eyes_prcple :: "written_by \<sigma> \<noteq> fst_check \<sigma> 
+                                     \<and> written_by \<sigma> \<noteq> snd_check \<sigma>"
+
+(* artificial definition to enable checking in text\<open>\<close>
+   It will have to be implemented to enable the invariant well_formed_pre in SWIS_E.
+*)
+definition "iswff\<^sub>p\<^sub>r\<^sub>e" :: "bool" 
+  where "iswff\<^sub>p\<^sub>r\<^sub>e \<equiv> True"
+
+doc_class SWIS_E =
+   op_name          :: "string"
+   op_args_res       :: "(string \<times> typ) list \<times> typ" \<comment> \<open>args and result type\<close>
+   pre_cond          :: "(string \<times> thm) list"        \<comment> \<open>labels and predicates\<close>
+   post_cond         :: "(string \<times> thm) list"        \<comment> \<open>labels and predicates\<close>
+  (* iswff\<^sub>p\<^sub>r\<^sub>e  will have to be implemented to enable the invariant well_formed_pre. *)
+  (* invariant well_formed_pre :: "\<forall>cond \<in> set(map snd (pre_cond \<sigma>)). 
+                                              iswff\<^sub>p\<^sub>r\<^sub>e (op_args_res \<sigma>) (cond)"
+   invariant well_formed_post:: ...*)
+
+doc_class SWIS = cenelec_document + \<comment> \<open>software interface specification\<close> 
+   phase        :: "phase"  <= "SCDES"      written_by   :: "role"   <= "DES"
+   fst_check    :: "role"   <= "VER"           snd_check    :: "role"   <= "VAL"
+   components:: "SWIS_E list"
+   type_synonym software_interface_specification = SWIS
+
+(*>*)
+
+section*[appl_certif::technical]\<open>Application: CENELEC Ontology\<close>
+
+text\<open>From its beginning, \<^dof> had been used for documents containing formal models targeting 
+certifications. A major case-study from the railways domain based on the CENELEC 50128 standard
+had been published earlier (cf. @{cite "DBLP:conf-ifm-BruckerW19"}) 
+\<^footnote>\<open>Our CENELEC ontology in 
+\<^dof> can be found at 
+\<^url>\<open>https://github.com/logicalhacking/Isabelle_DOF/blob/main/src/ontologies/CENELEC_50128/CENELEC_50128.thy\<close>.\<close>.
+The CENELEC Standard comprises 18 different ``Design and Test Documents''; a fully fledged description of 
+our ontology covering these is therefore out of reach of this paper.
+Rather, we present how the novel concepts such as invariants and term-antiquotations are used in 
+selected elements in this ontology.
+
+According to CENELEC Table C.1, for example, we specify the category of ``Design and Test Documents''
+as follows:
+@{boxed_theory_text [display]
+\<open>doc_class cenelec_document = text_element +
+   phase         :: phase
+   written_by   :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   fst_check     :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   snd_check    :: role      \<comment> \<open>Annex C Table C.1 \<close>
+   ... 
+   invariant must_be_chapter :: "text_element.level \<sigma> = Some(0)"
+   invariant two_eyes_prcple :: "written_by \<sigma> \<noteq> fst_check \<sigma> 
+                                     \<and> written_by \<sigma> \<noteq> snd_check \<sigma>"\<close>}
+
+This class refers to the ``software phases'' the standard postulates (like \<^const>\<open>SPl\<close> for 
+``Software Planning'' or \<^const>\<open>SCDES\<close> for ``Software Component Design'') 
+which we model by a corresponding enumeration types (not shown here).  
+Similarly, the standard postulates ``roles'' that certain specified teams possess in the overall process
+(like \<^const>\<open>VER\<close> for verification and \<^const>\<open>VAL\<close> for validation). We added invariants that specify 
+certain constraints implicit in the standard: for example, a \<^typ>\<open>cenelec_document\<close> must have
+the textual structure of a chapter (the \<^emph>\<open>level\<close>-attribute is inherited from an underlying 
+ontology library specifying basic text-elements) as well as the two-eyes-principle between authors and
+checkers of these chapters.
+\<close>
+text\<open> The concrete sub-class of  \<^typ>\<open>cenelec_document\<close> is the class \<^typ>\<open>SWIS\<close>
+(``software interface specification'') as shown below, 
+which provides the role assignment required for this document type: 
+@{boxed_theory_text [display] \<open>
+
+doc_class SWIS = cenelec_document + \<comment> \<open>software interface specification\<close> 
+   phase        :: "phase"  <= "SCDES"      written_by   :: "role"   <= "DES"
+   fst_check    :: "role"   <= "VER"           snd_check    :: "role"   <= "VAL"
+   components:: "SWIS_E list"\<close>} 
+The structural constraints expressed so far can in principle be covered by any 
+hand-coded validation process and suitable editing support (\<^eg>,  Protégé @{cite "protege"}). 
+However, a closer look at the class \<^typ>\<open>SWIS_E\<close> (``software interface specification 
+element'') referenced in the \<^const>\<open>components\<close>-attribute reveals the unique power of \<^dof>;
+rather than saying ``there must be a pre-condition'', \<^dof> can be far more precise:
+@{boxed_theory_text [display]
+\<open>doc_class SWIS_E =
+   op_name          :: "string"
+   op_args_res       :: "(string \<times> typ) list \<times> typ" \<comment> \<open>args and result type\<close>
+   pre_cond          :: "(string \<times> thm) list"        \<comment> \<open>labels and predicates\<close>
+   post_cond         :: "(string \<times> thm) list"        \<comment> \<open>labels and predicates\<close>
+   invariant well_formed_pre :: "\<forall>cond \<in> set(map snd (pre_cond \<sigma>)). 
+                                              iswff\<^sub>p\<^sub>r\<^sub>e (op_args_res \<sigma>) (cond)"
+   invariant well_formed_post:: ...\<close>}
+where the constant \<^const>\<open>iswff\<^sub>p\<^sub>r\<^sub>e\<close> is bound to a function at the SML-level, that
+is executed during the evaluation phase of these invariants and that checks:
+\<^item> Any \<^emph>\<open>cond\<close> is indeed a valid definition in the global logical context
+  (taking HOL-libraries but also the concrete certification target model into account).
+\<^item> Any such HOL definition has the syntactic form:
+  \<^vs>\<open>-0.3cm\<close>
+  @{cartouche [display,indent=10,margin=70] \<open>pre_<op_name> (a\<^sub>1::\<tau>\<^sub>1) ... (a\<^sub>n::\<tau>\<^sub>n) \<equiv> <predicate>,\<close>}
+  \<^vs>\<open>-0.3cm\<close>
+  where \<open>(a\<^sub>1::\<tau>\<^sub>1) ... (a\<^sub>n::\<tau>\<^sub>n)\<close> correspond to the argument list.
+\<^item> The case for the post-condition is treated analogously. \<close>
+
+text\<open>Note that this technique can also be applied to impose specific syntactic constraints on
+types. For example, via the SI-package available in the Isabelle AFP
+\<^footnote>\<open>\<^url>\<open>https://www.isa-afp.org/entries/Physical_Quantities.html\<close>\<close>, it is possible to express
+that the result of some calculation is of type
+\<open>32 unsigned [m\<^sup>\<cdot>s\<^sup>-\<^sup>2]\<close>, so a 32-bit natural representing an acceleration in the SI-system.
+Therefore it is possible to impose that certain values refer to physical dimensions
+measured in a concrete metrological system. 
+\<close>
+
+section*[rw::related_work]\<open>Related Work\<close>
+
+text\<open>There are a number of approaches to use ontologies for structuring the link between
+information and knowledge, and to make it amenable to 
+ ``semantic'' search in or consistency checking of documents.
+Some are targeting mathematical libraries,
+like the search engine \<^url>\<open>http://shinh.org/wfs\<close> which uses clever text-based search methods in 
+a large number of formulas, agnostic of their logical context and of formal proof,
+or the OAF project @{cite "KohlhaseR21"} which developed a common ontological format,
+called  OMDoc/MMT, and six \<^emph>\<open>export\<close> functions from major ITP systems into it.
+The more difficult task to develop import functions has not been addressed, not to mention
+the construction of imported proofs in a native tactic proof format. Rather, the emphasis
+was put on building a server infrastructure based on conventional, rather heavy-weight
+database and OWL technology. Our approach targets so far only one ITP system and
+its libraries, and emphasizes type-safeness, expressive power and “depth” of meta-data,
+which is adapted to the specific needs of ITP systems and theory developments.
+
+There are also a number of proposals of ontologies targeting mathematics:
+the OntoMath\textsuperscript{PRO} @{cite "Nevzorova2014OntoMathPO"} proposes a 
+``taxonomy of the fields of mathematics'' (p. 6).
+In total, OntoMath\textsuperscript{PRO} contains the daunting number of 3,449 classes,
+which is in part due to the need to compensate
+the lack of general datatype definition methods for meta-data.
+It is nevertheless an interesting starting point for a future development of a mathematics ontology
+in the \<^dof> framework.
+Other ontologies worth mentioning are DBpedia @{cite "10.1007/978-3-540-76298-0_52"}, 
+which provides with the \<^emph>\<open>SPARQL endpoint\<close>  \<^url>\<open>http://dbpedia.org/sparql\<close> a search engine, 
+and the more general ScienceWISE \<^footnote>\<open>\<^url>\<open>http://sciencewise.info/ontology/\<close>.\<close>
+that allows users to introduce their own category concepts.
+Both suffer from the lack of deeper meta-data modeling, and the latter is still at the beginning
+(ScienceWISE marks the Mathematics part as ``under construction'').
+
+Regarding the use of formal methods to formalise standards, the Event-B method was proposed by
+Fotso et al. @{cite "FotsoFLM18"} for specifications of the hybrid ERTMS/ETCS level 3 standard,
+in which requirements are specified using SysML/KAOS goal diagrams. The latter were translated into 
+Event-B, where domain-specific properties were specified by ontologies.
+In another case, Mendil et al. @{cite "MendilASMP21"} propose an Event-B framework for formalising standard
+ conformance through formal modelling of standards as ontologies. 
+The proposed approach was exemplified on ARINC 661 standard
+in the context of a weather radar system application.
+These works are essentially interested in expressing ontological concepts in a formal method 
+but do not explicitly deal with the formalisation of rules/invariants defined in ontologies. 
+The question of ontology-mappings is not addressed.
+
+%   \<^url>\<open>https://github.com/CLLKazan/OntoMathPro\<close> 
+%
+% ITEM The "Ontology for Engineering Mathematics" 
+%  \<^url>\<open>https://tomgruber.org/writing/an-ontology-for-engineering-mathematics\<close> is
+%  is  unfortunately only a half-baked approach to model physical quantities
+%  and SI-measurements. Instead of using ontologies for this purpose, there
+%  exist approaches based on strong type systems 
+\<close>
+
+section*[concl::conclusion]\<open>Conclusion and Future Work\<close>
+text\<open>We presented \<^dof>, an ontology framework 
+deeply integrating continuous-check\slash continuous-build functionality into
+the formal development process in \<^hol>. The novel feature of term-contexts in \<^dof>,
+which permits term-antiquotations elaborated in the parsing process, paves the
+way for the abstract specification of meta-data constraints as well the possibility
+of advanced search in the meta-data of document elements. Thus it profits and
+extends  Isabelle's document-centric view on formal development.
+
+Many ontological languages such as OWL as well as the meta-modeling technology 
+available for UML/OCL provide concepts for semantic rules and constraints, but
+leave the validation checking usually to external tools (if implementing them at all).
+This limits their practical usefulness drastically. Our approach treats invariants as 
+first-class citizens, and turns them into an object of formal study in, for example, 
+ontological mappings. Such a technology exists, to our knowledge, for the first time.
+
+Our experiments with adaptations of existing ontologies from engineering and mathematics
+show that \<^dof>'s ODL has sufficient expressive power to cover all aspects
+of languages such as OWL (with perhaps the exception of multiple inheritance on classes).
+However, these ontologies have been developed specifically \<^emph>\<open>in\<close> OWL and target
+its specific support, the Protégé editor @{cite "protege"}. We argue that \<^dof> might ask 
+for a re-engineering of these ontologies: less deep hierarchies, rather deeper structure 
+in meta-data and stronger invariants.
+\<close>
+
+(*subsection*[fw::related_work]\<open>Future Work\<close>*)
+
+text\<open> We plan to complement \<^dof> with incremental LaTeX generation and a previewing facility
+that will further increase the usability of our framework for the ontology-conform editing
+of formal content, be it in the engineering or the mathematics domain
+(this paper has been edited in \<^dof>, of course).
+
+Another line of future application is to increase the ``depth'' of built-in term antiquotations such
+as \<^theory_text>\<open>@{typ \<open>'\<tau>\<close>}\<close>, \<^theory_text>\<open>@{term \<open>a + b\<close>}\<close> and \<^theory_text>\<open>@{thm \<open>HOL.refl\<close>}\<close>, which are currently implemented 
+just as validations in the current logical context. In the future, they could  optionally be expanded 
+to the types, terms and theorems (with proof objects attached) in a meta-model of the Isabelle Kernel 
+such as the one presented in @{cite "10.1007/978-3-030-79876-5_6"} (also available in the AFP). 
+This will allow for definitions of query-functions in, \<^eg>, proof-objects, and pave the way 
+to annotate them with typed meta-data. Such a technology could be relevant for the interoperability 
+of proofs across different ITP platforms.
+\<close>
+*)
+(*<*)
+close_monitor*[this]
+
+end
+(*>*) 
diff --git a/src/document-templates/root-2022-phd-poster.tex b/src/document-templates/root-2022-phd-poster.tex
new file mode 100644
index 0000000..791cecd
--- /dev/null
+++ b/src/document-templates/root-2022-phd-poster.tex
@@ -0,0 +1,610 @@
+\RequirePackage{ifvtex}
+\documentclass[25pt, a0paper, portrait]{tikzposter}
+\usepackage[T1]{fontenc}
+\usepackage[utf8]{inputenc}
+\usepackage[T1]{fontenc}
+\usepackage[utf8]{inputenc}
+\usepackage{textcomp}
+\bibliographystyle{abbrvnat}
+\usepackage[english]{babel}
+\RequirePackage[caption]{subfig}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\IfFileExists{DOF-core.sty}{}{%
+  \PackageError{DOF-core}{Isabelle/DOF not installed. 
+    This is a Isabelle_DOF project. The document preparation requires
+    the Isabelle_DOF component from:
+    <isadofurl>
+  }{For further help, see <isadofurl>}
+}
+\input{ontologies}
+\IfFileExists{preamble.tex}{\input{preamble.tex}}{}%
+\usepackage{amsmath}
+\usepackage{DOF-amssymb}
+\usepackage[numbers, sort&compress, sectionbib]{natbib}
+\usepackage{graphicx}
+\usepackage{hyperref}
+\setcounter{tocdepth}{3} 
+\hypersetup{%
+   bookmarksdepth=3
+  ,pdfpagelabels
+  ,pageanchor=true
+  ,bookmarksnumbered
+  ,plainpages=false
+} % more detailed digital TOC (aka bookmarks)
+\sloppy
+\allowdisplaybreaks[4]
+\urlstyle{rm}
+\isabellestyle{it}
+
+\newenvironment{frontmatter}{}{}
+
+\title{%
+\parbox{\linewidth}{%
+\centering Isabelle/DOF:\\
+A Framework for Proving Ontology-Relations
+and Runtime Testing Ontology Instances%
+}}
+\author{Idir Ait-Sadoune, Nicolas Méric and Burkhart Wolff}
+\date{\today}
+\institute{Université Paris-Saclay, LMF, France}
+
+\usepackage{blindtext}
+\usepackage{comment}
+\usepackage{amsmath}
+
+% Process bibliography using biber engine.
+%\usepackage[
+  % biber, the default backend of biblatex, supports Ascii,
+  % 8-bit encodings, utf-8, on-the-fly reencoding, locale-specific sorting,
+  % and many other features.
+  % Locale-specific sorting, case-sensitive sorting,
+  % and upper/lowercase precedence are controlled by the options
+  % sortlocale, sortcase, and sortupper, respectively.
+  % See biblatex documentation file biblatex.pdf,
+  % 3.12, 2018/10/30, section 3.1.1, page 45.
+%  backend=biber,
+  % Whether or not to print back references in the bibliography.
+  % The back references are a list of page numbers indicating the pages
+  % on which the respective bibliography entry is cited.
+  % If there are refsection environments in the document,
+  % the back references are local to the reference sections.
+  % Strictly speaking, this option only controls
+  % whether the biblatex package collects the data required
+  % to print such references.
+  % This feature still has to be supported by the selected bibliography style.
+  % All standard styles which come with this package do so.
+  % See biblatex documentation file biblatex.pdf,
+  % 3.12, 2018/10/30, section 3.1.2.1, page 50.
+%  backref=true,
+  % Loads the citation style <file>.cbx.
+  % See § 3.3.1 for an overview of the standard citation styles.
+  % See biblatex documentation file biblatex.pdf,
+  % 3.12, 2018/10/30, section 3.1.1, page 45.
+%  citestyle=alphabetic,
+  % Loads the bibliography style <file>.bbx.
+  % See § 3.3.2 for an overview of the standard bibliography styles.
+  % See biblatex documentation file biblatex.pdf,
+  % 3.12, 2018/10/30, section 3.1.1, page 45.
+%  bibstyle=alphabetic,
+%]{biblatex}
+
+\usetheme{Simple}
+
+% Add bibliography using biblatex macro.
+%
+% Adds a <resource>, such as a .bib file, to the default resource list.
+% This command is only available in the preamble.
+% It replaces the \bibliography legacy command.
+% Note that files must be specified with their full name,
+% including the extension.
+% Do not omit the .bib extension from the filename.
+% Also note that the <resource> is a single resource.
+% If the resources contain duplicate entries (that is, duplicate entrykeys),
+% it is backend dependent what then happens.
+% For example, by default biber will ignore
+% further occurrence of entrykeys unless its --noskipduplicates options is
+% used.
+% Invoke \addbibresource multiple times to add more resources.
+% See biblatex documentation file biblatex.pdf,
+% 3.12, 2018/10/30, section 3.7.1, page 81-82.
+%\addbibresource{bibliography.bib}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\def\HyperFirstAtBeginDocument#1{#1}
+\begin{document}
+\begin{frontmatter}
+  \maketitle
+  % \tableofcontents
+\end{frontmatter}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{columns}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\column{0.33}
+
+% \block{Overview}{
+% \begin{itemize}
+%   \item
+%     Why (Document) Ontologies
+%   \item
+%     Ontologies and Formal Theories
+%   \item
+%     DOF Design
+%   \item
+%     Isabelle/DOF Implementation
+%  \item
+%     Some Application Scenarios
+% \end{itemize}
+% TODO: Add figure
+% PUBLIC RELEASE:
+% http/10.5281/zenodo.3370483
+% }
+
+\block{Linking the Formal and the Informal: Why Ontologies?}{
+% \begin{itemize}
+%   \item
+%     More powerful ITP systems
+%     \(\Longrightarrow\) body of formalised mathematics and engineering
+  % \item
+    The Isabelle Archive Formal of Proof as example :
+\begin{tikzfigure}
+  \includegraphics[width=0.4\linewidth]{%
+    figures/afp_growth_in_number_of_articles.png}
+\end{tikzfigure}
+In 2022, the count stood at 661
+articles, 420 authors and 3.3 M loc !
+  % \item
+}
+Problem of logical consistency technically solved via continuous proof-checking
+
+Problem of knowledge retrieval and of linking semi-formal explanations to
+definitions and proofs still largely open.
+
+The central role in technologies adressing the \emph{knowledge} problem
+is played by \emph{document ontologies}, i.e., a machine-readable form
+of meta-data attached to document-elements as well as their document discourse.
+In order 
+to make these techniques applicable to \emph{formal theory development},
+the following is needed:
+\begin{itemize}
+  \item 
+a general mechanism to define and develop \emph{domain-specific} ontologies,
+\item
+... that should be adapted to entities occurring in formal theories,
+  i.e., provide built-in support for types, terms, theorems, proofs, etc.,
+\item
+ways to annotate meta-data generated by ontologies to the document elements,
+  as ``deep'' as possible, together with strong validation checks,
+\item
+a smooth integration into the theory document development process, and
+\item
+ways to relate ontologies and ontology-conform documents along different
+  ontologies by \emph{ontological mappings} and \emph{data translations}
+  \footnote{We follow throughout this text the terminology established in 
+              \cite{books/daglib/0032976}, pp. 39 ff.}
+\end{itemize}
+    % Rising need for:
+    % % \begin{itemize}
+    %   % \item
+    %     structuring and consistency,
+    %   % \item
+    %     advanced “semantic” search,
+    %   % \item
+    %     tool-interaction.
+   % % \end{itemize}
+% % \end{itemize}
+
+% % \begin{itemize}
+  % % \item
+    % This requires more structured and typed meta-information
+    % % for our application domain
+    % in theory developments
+% % \item
+   % and a better dependency-control of the different document elements,
+   % like
+  % % \begin{itemize}
+    % % \item
+    %   types, terms, theorems
+    % % \item
+    %   code % (proof-terms, proof generating programs, SML, LaTeX etc, but also Scala and C! )
+    % % \item
+    %   text and diagrams %(and perhaps animations, see Jupyter Notebooks https://jupyter.org/ )
+    % % \item
+    %   … and the links between them, requiring notions of
+    %   consistency and coherence for collaborative development
+  % % \end{itemize}
+  % % \item
+
+    % The language in which such meta-information can be specified
+    % is called a \emph{document ontology} %(or \emph{vocabulary})
+% % \end{itemize}
+}
+
+% \block{Linking the Formal and the Informal\\ - Existing Approaches -}{
+% \begin{itemize}
+%   \item
+%     Code Antiquotations as in LISP, MetaML, SML, …
+% \begin{tikzfigure}
+%   \includegraphics[width=0.4\linewidth]{%
+%     figures/code_antiquotations.png}
+% \end{tikzfigure}
+%   \item
+%     Document pragmas as in JavaDoc, Doxygen, et al
+%     TODO: Add figure
+%     \item
+%       Compilation process allows for document generation and some consistency checks
+%       \(\Longrightarrow\) batch mode consistency only.
+%   \item
+%     The Isabelle Approach to “Text-Antiquotations”
+%     (heavily used to assure \emph{coherence} and
+%     \emph{traceability} in the technical documentations and papers)
+%   \item
+%     Definitions and proofs can be mixed with text elements
+%     \begin{tikzfigure}
+%       \includegraphics[width=0.4\linewidth]{%
+%         figures/text_element.png}
+%     \end{tikzfigure}
+%   \item
+%     Text Elements may contain Antiquotations to Formal Content
+%     in the Logical Context, which are checked and animated in the IDE:
+%     \begin{tikzfigure}
+%       \includegraphics[width=0.4\linewidth]{%
+%         figures/text_element_with_formal_content.png}
+%     \end{tikzfigure}
+%   \item
+%     The global doc-generation process yields a presentation in, e.g.,  .pdf :
+%     \begin{tikzfigure}
+%       \includegraphics[width=0.4\linewidth]{%
+%         figures/output.png}
+%     \end{tikzfigure}
+%   \item
+%     Similarly, Isabelle Code uses heavily “SML-Antiquotations” 
+%   \item
+%     SML System Code can be mixed with antiquotations producing
+%     SML level representation of types and terms:
+%     \begin{tikzfigure}
+%       \includegraphics[width=0.4\linewidth]{%
+%         figures/sml_code_with_antiquotations.png}
+%     \end{tikzfigure}
+% \end{itemize}
+% }
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% \column{0.33}
+
+% \block{Isabelle's Document-Centric View on Formal Development}{
+% \begin{itemize}
+%   \item
+%     Primary document type: “XXX.thy”
+%     \begin{tikzfigure}
+%       \includegraphics[width=0.4\linewidth]{%
+%         figures/theories_hierarchy.png}
+%     \end{tikzfigure}
+%   \begin{itemize}
+%     \item
+%       Acyclic Graph of units that consist of
+%       a sequence of \emph{document elements}
+%       called “commands”
+%     \item
+%       commands user-programmable in SML
+%     \item
+%       Support of Cascade Syntax:
+%       @{SML ‹ … @{type ‹  ….  ›} … ›}
+%     \item
+%       Commands are semantically transformers
+%       of the logical context : \(\Theta \Rightarrow \Theta\)
+%     \item
+%       anti-quotations are “semantic macros” and as such partial) functions:
+%       \(\Theta \Rightarrow \text{text}\)
+%       \(\Theta \Rightarrow \text{sml}\)
+%       \(\Theta \Rightarrow \text{term}\)
+%     \item
+%       pervasive continuous build/check of Isabelle/PIDE supports anti-quotations.
+%   \end{itemize}
+% \end{itemize}
+% }
+
+\block{Isabelle/DOF}{
+\begin{itemize}
+  \item
+    DOF : The Document Ontology Framework
+    has been designed as an Isabelle component that attempts to answer these needs.
+  \item
+    Prior Versions of Isabelle/DOF support semantic annotations of text and code-contexts:
+
+    \(
+text*[label::classid, attr1 =E1 , ... attrn =En ]⟨ some semi-formal text ⟩
+\)
+
+\(
+ML*[label::classid, attr1 =E1 , ... attrn =En ] ⟨ some SML code ⟩
+\)
+    TODO: Add figure
+  \item
+    Novelty in Isabelle/DOF: support of \(\lambda\)-term-contexts, e.g.:
+    \(value*[label::classid, attr1 =E1 , ... attrn =En ]⟨ some annotated \lambda-term ⟩\)
+    TODO: Add figure
+
+  formal, machine-checked invariants on meta-data, which correspond to the concept of
+  ``rules'' in OWL~ \cite{OWL2014} or ``constraints'' in UML, and which can be specified in
+  common Isabelle/HOL \(\lambda\)-term syntax.
+\end{itemize}
+
+% \innerblock{Isabelle/DOF}{
+%   AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+% }
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\column{0.33}
+
+\block{Isabelle/DOF Core : ODL}{
+\begin{itemize}
+  \item
+    The Ontology Definition Language (ODL):
+    The Mechanism to \emph{define} Ontologies
+  \item
+    Features:
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/odl.png}
+    \end{tikzfigure}
+    \begin{itemize}
+      \item
+        classes (for the “concepts”)
+      \item
+        classes may have attributes
+        with HOL type
+      \item
+        class declarations  can be
+        interleaved with arbitrary HOL
+        declarations
+      \item
+        attributes of class-instances
+        are mutable;  (default) values
+        can be denoted by HOL-terms
+      \item
+        class declarations induce a HOL-type;
+        this allows to establish “ontological links”
+    \end{itemize}
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/dof_classes.png}
+    \end{tikzfigure}
+    \begin{itemize}
+      \item
+        classes have single inheritance
+        (is a - relation)
+      \item
+        attribute overriding of attributes is possible
+      \item
+        meta-level types of the ITP were included as abstract HOL types;
+        their inhabitance is checked
+        in the global context \(\theta\)
+    \end{itemize}
+\end{itemize}
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% \column{0.33}
+
+\block{DOF Example Document}{
+\begin{itemize}
+  \item
+    Defining the Ontological Context
+\begin{tikzfigure}
+  \includegraphics[width=0.4\linewidth]{%
+    figures/ontological_context.png}
+\end{tikzfigure}
+  \item
+    And there we go:
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/dof_document.png}
+    \end{tikzfigure}
+  \item
+    … where title* and
+    abstract* are macros
+    for text*[a::title,…],
+    etc…
+  \item
+    … and the meta-data
+    instances are a, abs,
+    intro, T1, attached to
+    these  doc elements  …
+\end{itemize}
+}
+
+\block{Isabelle/DOF Core : Class Invariants}{
+\begin{itemize}
+  \item
+    ODL used already  \(\lambda\)-(ground)-terms to denote values for attributes.
+  \item
+    New: ODL uses arbitrary \(\lambda\)-terms containing generated
+    \emph{term-antiquotations in invariants},
+    attribute definitions and commands like value*
+  \item
+    Eg.: Invariants for
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/classes_with_invariant.png}
+    \end{tikzfigure}
+    TODO: FIGURE MUST BU UPDATED!!! See original example
+    \begin{itemize}
+      \item
+        data-integrity constraints
+      \item
+        … using “built-in” term antiquotations for “term”, “typ”, “thm”
+      \item
+        may use DOF-generated term-antiquotations
+        like @{result ‘’<some result instance>’’}
+        or @{introduction ‘’intro’’} or @{instance-of ‘’result’’}, etc.
+      \item
+        “a result text element must provide evidence
+        in form of a proven theorem …”
+    \end{itemize}
+\end{itemize}
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\column{0.33}
+
+\block{Consequences}{
+\begin{itemize}
+  \item
+    If an ODL ontology generates “intra-logical” representations,
+    what’s the benefit ?
+    \begin{itemize}
+      \item
+        We don't have to learn a new (meta)-language
+      \item
+        We can define new operations on them inside
+        the  logic and develop their theory …
+      \item
+        … to develop a query language, for example:
+        \(
+          value*⟨ filter (is_interesting) @\{instances-of "result"\} ⟩
+        \)
+      \item
+        We can relate ontologies and ontology instances
+        by formal proof (‘’ontology alignment, ontology mapping’’)
+    \end{itemize}
+\end{itemize}
+}
+
+\block{Consequences: Example Proof of an Ontology Mapping}{
+\begin{itemize}
+  \item
+    A “‘Generic’ Reference Ontology” vs. a “‘local’ Ontology”
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/reference_ontology.png}
+    \end{tikzfigure}
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/local_ontology.png}
+    \end{tikzfigure}
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/morphism.png}
+    \end{tikzfigure}
+  \item
+    “The mapping is correct (preserves the invariants)”
+    \begin{tikzfigure}
+      \includegraphics[width=0.4\linewidth]{%
+        figures/invariant_preserved.png}
+    \end{tikzfigure}
+\end{itemize}
+}
+
+\block{But what “are” ontology-generated term antiquotations  ???}{
+\begin{itemize}
+  \item
+    First of all: how are they processed:
+    \begin{itemize}
+      \item parsing
+      \item type checking
+      \item validation (an argument is indeed a valid reference in the context)
+      \item expansion (replacement of a reference against logical terms)
+      \item evaluation (to SML code, or by nbe)
+    \end{itemize}
+  \item
+    Then “built-in” term-anti quotations can be:
+    \begin{itemize}
+      \item
+        just uninterpreted constants (without expansion)
+        TODO: Add figure
+      \item
+        a ‘’shallow’’ data-type representation (without expansion)
+        TODO: Add figure
+      \item
+        or a “deep” data-type representation into an Isabelle
+        Meta-Model such as [Nipkow,Rosskopf 21] (with expansion)
+        TODO: Add figure
+    \end{itemize}
+\end{itemize}
+}
+
+\block{Conclusion}{
+\begin{itemize}
+  \item
+    DOF provides a framework
+    \begin{itemize}
+      \item
+        for defining ontologies in the context of ITP systems
+      \item
+        its typed ! It has a logical interpretation !
+      \item
+        provides a generated infrastructure for meta-data of
+        types, terms, thm’s and text and code elements
+    \end{itemize}
+  \item
+    DOF provides a framework to enforce on-the-fly
+    ontology-conform documentation checking
+  \item
+    DOF provides infrastructure for proofs over the
+    logical representation of ontologies and meta-data …
+  \item
+    Ontologies generating meta-data can be used
+    for other forms of Tool Interaction via “deep
+    interpretations” into a meta-model
+  \item
+    (P)IDE's are more than just a technical asset
+  \item
+    … it is a corner-stone for a revolution
+    \begin{itemize}
+      \item
+        1970’ies          TEXT
+      \item
+        1990’ies          HYPERTEXT
+      \item
+        2010’ies          REACTIVE DOCUMENTS
+      \item
+        2020’ies          SEMANTIC DOCUMENTS (???)
+    \end{itemize}
+\end{itemize}
+}
+
+\end{columns}
+
+\input{session}
+
+\block{References}{
+% optional bibliography
+\IfFileExists{root.bib}{{\bibliography{root}}}{}
+\end{document}
+%\printbibliography
+}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% \begin{columns}
+%     \column{0.4}
+%     \block{More text}{Text and more text}
+    
+%     \column{0.6}
+%     \block{Something else}{Here, \blindtext \vspace{4cm}}
+%     \note[
+%         targetoffsetx=-9cm, 
+%         targetoffsety=-6.5cm, 
+%         width=0.5\linewidth
+%         ]
+%         {e-mail \texttt{welcome@overleaf.com}}
+% \end{columns}
+
+% \begin{columns}
+%     \column{0.5}
+%     \block{A figure}
+%     {
+%         \begin{tikzfigure}
+%             % \includegraphics[width=0.4\textwidth]{images/overleaf-logo}
+%         \end{tikzfigure}
+%     }
+%     \column{0.5}
+%     \block{Description of the figure}{\blindtext}
+% \end{columns}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+
diff --git a/src/ontologies/scholarly_paper/DOF-scholarly_paper.sty b/src/ontologies/scholarly_paper/DOF-scholarly_paper.sty
index 5d5883c..272f949 100644
--- a/src/ontologies/scholarly_paper/DOF-scholarly_paper.sty
+++ b/src/ontologies/scholarly_paper/DOF-scholarly_paper.sty
@@ -60,9 +60,15 @@
                 \newcommand{\inst}[1]{}%
             }%
             {%
+              \@ifclassloaded{tikzposter}%
+              {%
+                 \newcommand{\inst}[1]{}%
+              }%
+              {%
               \PackageError{DOF-scholarly_paper}
                           {Scholarly Paper only supports LNCS or scrartcl as document class.}
                           {}\stop%
+              }%
             }%
           }%
         }%