Formal Aspects of Computing

, Volume 20, Issue 1, pp 117–139 | Cite as

Mechanising Mondex with Z/Eves

Original Article


We describe our experiences in mechanising the specification, refinement, and proof of the Mondex Electronic Purse using the Z/Eves theorem prover. We took a conservative approach and mechanised the original LaTEX sources without changing their technical content, except to correct errors. We found problems in the original specification and some missing invariants in the refinements. Based on these experiences, we present novel and detailed guidance on how to drive Z/Eves successfully. The work contributes to the Repository for the Verified Software Grand Challenge.


Correctness Electronic finance Grand challenges Grand Challenge in Verified Software Mondex Refinement Security Smart cards Software archaeology Theorem proving Verification Verified Software Repository Z/Eves Z notation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. BHW06.
    Bicarregui J, Hoare T, Woodcock J (2006) The verified software repository: a step towards the verifying compiler. FACJ 18(2):143–151MATHGoogle Scholar
  2. CSW02.
    Cooper D, Stepney S, Woodcock J (2002) Derivation of Z Refinement Proof Rules. Technical Report YCS-2002-347, University of YorkGoogle Scholar
  3. Cro04.
    Crocker D (2004) Safe object-oriented software: the verified design-by-contract paradigm. In: Redmill F, Anderson T (eds) Practical elements of safety: proceedings of the 12th safety-critical systems symposium. Springer, HeidelbergGoogle Scholar
  4. DGJ+02.
    Hung DV, George C, Janowski T, Moore R (eds) (2002) Specification Case Studies in RAISE. FACIT (Formal Approaches to Computing and Information Technology) series. Springer, HeidelbergGoogle Scholar
  5. ISO02.
    Information Technology—Z Formal Specification Notation—Syntax, Type System and Semantics. ISO/IEC 13568:2002(E) 2002Google Scholar
  6. ITS91.
    ITSEC. Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. Document COM(90) 314, Version 1.2. Commission of the European Communities (1991)Google Scholar
  7. Jac06a.
    Jackson D (2006) Software Abstractions: Logic, Language, and Analysis pp 350. The MIT, CambridgeGoogle Scholar
  8. Jac06b.
    Jackson D (2006) Dependable software by design. Scientific American. June 2006Google Scholar
  9. JOW06.
    Jones C, O’Hearn P, Woodcock J (2006) Verified software: a Grand Challenge. IEEE Comput 39(4):93–95Google Scholar
  10. MAV05.
    Métayer C, Abrial J-R, Voisin L (2005) Event-B Language. Project IST-511599 RODIN Rigorous Open Development Environment for Complex Systems. RODIN Deliverable 3.2 Public Document. 31st May 2005 Scholar
  11. Mil99.
    Milner R (1999) Communicating and mobile systems: the π-calculus. Cambridge University Press, CambridgeGoogle Scholar
  12. MonURL.
    Mondex smart cards.
  13. QPQURL.
    The QPQ Deductive Software Repository. qpq.csl.sri.comGoogle Scholar
  14. Saa97a.
    Saaltink M (1997) The Z/EVES User’s Guide. ORA CanadaGoogle Scholar
  15. SCW98.
    Stepney S, Cooper D, Woodcock J (1998) More powerful Z data refinement: pushing the state of the art in industrial refinement. ZUM ’98. Berlin, Germany. LNCS, vol 1493. Springer, Heidelberg, pp 284–307Google Scholar
  16. SCW00.
    Stepney S, Cooper D, Woodcock J (2000) An electronic purse: specification, refinement, and proof. Technical monograph PRG-126, Oxford University Computing Laboratory. July 2000Google Scholar
  17. SGH+06a.
    Schellhorn G, Grandy H, Haneberg D, Reif W (2006) The Mondex challenge: machine checked proofs for an electronic purse. In: Misra J et al (eds) FM 2006: formal methods, 14th international symposium on formal methods, Hamilton, Canada, August 21–27, 2006. Springer, Heidelberg, pp 16–31Google Scholar
  18. SGH+06b.
    Schellhorn G, Grandy H, Haneberg D, Reif W (2006) The Mondex challenge: machine checked proofs for an electronic purse. Technical Report. Institute of Computer Science, University of AugsburgGoogle Scholar
  19. Spi92.
    Spivey JM (1992) The Z Notation: a reference manual, 2nd edn. Prentice Hall International Series in Computer Science, Englewood Cliffs, pp 150Google Scholar
  20. UMLURL.
    UML 2.0 OCL Specification. OMG Adopted Specification ptc/03-10-14 2004Google Scholar
  21. WoD96.
    Woodcock J, Davies J (1996) Using Z: Specification, Refinement, and Proof. Prentice Hall International Series in Computer Science 1996. pp 391. The complete text is available for free download from:
  22. WSC+08.
    Woodcock J, Stepney S, Cooper D, Clark J, Jacob J (2008) The certification of the Mondex electronic purse to ITSEC Level E6. Formal Aspects Comput J 20(1) (this issue)Google Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of YorkHeslington, YorkUK

Personalised recommendations