GeneSyst: a Tool to Reason about Behavioral Aspects of B Event Specifications. Application to Security Properties.

In this paper, we present a method and a tool to build symbolic labelled transition systems from B specifications. The tool, called GeneSyst, can take into account refinement levels and can visualize the decomposition of abstract states in concrete hierarchical states. The resulting symbolic transition system represents all the behaviors of the initial B event system. So, it can be used to reason about them. We illustrate the use of GeneSyst to check security properties on a model of electronic purse.

💡 Research Summary

**
The paper introduces GeneSyst, a tool that automatically derives a symbolic labelled transition system (SLTS) from a B‑Event specification, preserving refinement hierarchies and allowing hierarchical state decomposition. B‑Event systems consist of variables, an invariant, an initialisation, and a set of events, each defined by a guard and an action (a generalized substitution). A trace is a finite sequence of event occurrences starting with the initialisation, where each intermediate state satisfies the guard of the next event and the before‑after predicate of the action.

An SLTS is defined as a 4‑tuple (N, Init, U, W): N is a set of symbolic states, each interpreted as a predicate over the variable space; U is a set of labels (D, A, e) where D is an enable‑predicate, A a reachability‑predicate, and e the event name; W ⊆ N × U × N is the transition relation. A transition (E, (D, A, e), F) is valid if (a) D is equivalent to the guard of e when the system is in state E, and (b) A is equivalent to the existence of a post‑state reachable by the action of e while preserving the invariant of F. Under these conditions, Theorem 1 proves that the set of traces of the original B‑Event system coincides exactly with the set of paths of the generated SLTS.

The paper extends the construction to refinement. Given an abstract specification S, a concrete refinement R, and a gluing invariant L (the conjunction of the abstract and concrete invariants), each abstract state is projected onto a concrete state via existential quantification over the abstract variables. The projected transition inherits the same event (refined) and satisfies the same validity conditions, ensuring that any transition enabled in the concrete system is also enabled in the abstract one (Property 2). Hierarchical states are introduced to decompose a projected abstract state into several concrete substates, enabling a clear visual representation of new variables introduced during refinement.

GeneSyst’s workflow requires the user to supply a B component whose ASSERT clause contains a disjunction of predicates P₁ ∨ … ∨ Pₙ that partition the invariant space. The tool checks the completeness condition (I ⇒ ⋁ₖ Pₖ), constructs the symbolic states, computes valid transitions according to Condition 1, and automatically generates the SLTS, including hierarchical visualisations for refined models.

The methodology is demonstrated on the Demoney electronic purse, a realistic Java Card applet that supports payments, credits, encrypted transactions, and communication with external applets. The Demoney model is specified in Event‑B, refined across several levels, and then processed by GeneSyst. The resulting SLTS captures all possible behaviours, and security properties—expressed as the required occurrence or absence of particular events under specific conditions—are verified by checking reachable paths in the SLTS. For example, atomicity of a transaction is ensured by confirming that no intermediate state allows an abort event once the debit event has been enabled.

Key contributions of the paper are: (1) a rigorous definition of SLTS that faithfully represents B‑Event semantics; (2) formal proofs linking traces and SLTS paths, guaranteeing behavioral equivalence; (3) a systematic approach to handle refinement, state projection, and hierarchical decomposition; (4) an implemented tool that automates the generation of SLTS and supports visual inspection of refined behaviours; and (5) a concrete case study showing how the approach can be used to verify security properties of a real‑world smart‑card application.

Limitations include the manual effort required to define the partition predicates in the ASSERT clause, potential state‑space explosion for large specifications, and the lack of built‑in support for probabilistic or timed extensions. Future work suggested by the authors involves automatic predicate generation, optimisation techniques for large‑scale SLTS exploration, and integration with other formal verification tools to handle richer behavioural models.