Software & Systems Modeling

, Volume 4, Issue 1, pp 32–54 | Cite as

The KeY tool

Integrating object oriented design and formal verification
  • Wolfgang AhrendtEmail author
  • Thomas Baar
  • Bernhard Beckert
  • Richard Bubel
  • Martin Giese
  • Reiner Hähnle
  • Wolfram Menzel
  • Wojciech Mostowski
  • Andreas Roth
  • Steffen Schlager
  • Peter H. Schmitt
Regular Paper


KeY is a tool that provides facilities for formal specification and verification of programs within a commercial platform for UML based software development. Using the KeY tool, formal methods and object-oriented development techniques are applied in an integrated manner. Formal specification is performed using the Object Constraint Language (OCL), which is part of the UML standard. KeY provides support for the authoring and formal analysis of OCL constraints. The target language of KeY based development is Java Card DL, a proper subset of Java for smart card applications and embedded systems. KeY uses a dynamic logic for Java Card DL to express proof obligations, and provides a state-of-the-art theorem prover for interactive and automated verification. Apart from its integration into UML based software development, a characteristic feature of KeY is that formal specification and verification can be introduced incrementally.


Object-oriented design Formal specification Formal verification UML OCL Design patterns Java 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahrendt W (2002) Deductive search for errors in free data type specifications using model generation. In: Voronkov A (ed) Automated Deduction – CADE-18, 18th International Conference on Automated Deduction, Copenhagen, Denmark, LNCS, vol 2392. Springer-VerlagGoogle Scholar
  2. 2.
    Ahrendt W, Baar T, Beckert B, Giese M, Habermalz E, Hähnle R, Menzel W, Schmitt PH (2000) The KeY approach: Integrating object oriented design and formal verification. In: Ojeda-Aciego M, de Guzmán IP, Brewka G, Pereira LM (eds) Proc. 8th European Workshop on Logics in AI (JELIA), LNCS, vol 1919. Springer-Verlag, pp 21–36, Oct.Google Scholar
  3. 3.
    Ahrendt W, Baar T, Beckert B, Giese M, Hähnle R, Menzel W, Mostowski W, Schmitt PH (2002) The KeY system: Integrating object-oriented design and formal methods. In: Kutsche R-D, Weber H (eds) Fundamental Approaches to Software Engineering (FASE), Part of Joint European Conferences on Theory and Practice of Software, ETAPS, Grenoble, LNCS, vol 2306. Springer-Verlag, pp 327–330Google Scholar
  4. 4.
    Androutsopoulos K (2002) Using SMV to model check RSDS specifications. Technical Report TR-02-07, King’s College of London, Department of Computing ScienceGoogle Scholar
  5. 5.
    ANTLR homepage. At Scholar
  6. 6.
    Baar T (2002) How to ground meta-circular OCL descriptions: A set-theoretic approach. In: Clark T, Evans A, Lano K (eds) Proceedings, Fourth Workshop on Rigorous Object-Oriented Methods, LondonGoogle Scholar
  7. 7.
    Baar T (2003) The definition of transitive closure with ocl: Limitations and applications. In: Proceedings, Fifth Andrei Ershov International Conference, Perspectives of System Informatics, Novosibirsk, Russia, LNCS, vol 2890. Springer, pp 358–365, JulyGoogle Scholar
  8. 8.
    Baar T (2003) Über die Semantikbeschreibung OCL-artiger Sprachen. PhD thesis, Fakultät für Informatik, Universität Karlsruhe. ISBN 3-8325-0433-8, Logos Verlag, BerlinGoogle Scholar
  9. 9.
    Baar T (2004) Metamodels without metacircularities. L’Objet. To appearGoogle Scholar
  10. 10.
    Baar T, Beckert B, Schmitt PH (2001) An extension of Dynamic Logic for modelling OCL’s @pre operator. In: Proceedings, Fourth Andrei Ershov International Conference, Perspectives of System Informatics, Novosibirsk, Russia, LNCS, vol 2244. Springer, pp 47–54Google Scholar
  11. 11.
    Baar T, Hähnle R (2000) An integrated metamodel for OCL types. In: France R, Rumpe B, Whittle J (eds) Proc. OOPSLA 2000 Workshop Refactoring the UML: In Search of the Core, Minneapolis/MI, USA, Oct.Google Scholar
  12. 12.
    Baar T, Hähnle R, Sattler T, Schmitt PH (2000) Entwurfsmustergesteuerte Erzeugung von OCL-Constraints. In: Mehlhorn K, Snelting G (eds) Softwaretechnik-Trends, Informatik Aktuell, pp 389–404. Springer-Verlag, Sept. In German.Google Scholar
  13. 13.
    Balser M, Reif W, Schellhorn G, Stenzel K, Thums A (2000) Formal system development with KIV. In: Maibaum T (ed) Fundamental Approaches to Software Engineering, LNCS, vol 1783. Springer-VerlagGoogle Scholar
  14. 14.
    Beck K (1999) Embracing change with Extreme Programming. Computer 32:70–77, Oct.CrossRefGoogle Scholar
  15. 15.
    Beckert B (2001) A dynamic logic for the formal verification of Java Card programs. In: Attali I, Jensen T (eds) Java on Smart Cards: Programming and Security. Revised Papers, Java Card 2000, International Workshop, Cannes, France, LNCS, vol 2041. Springer-Verlag, pp 6–24Google Scholar
  16. 16.
    Beckert B, Giese M, Habermalz E, Hähnle R, Roth A, Rümmer P, Schlager S (2004) Taclets: A new paradigm for writing theorem provers. Revista De La Real Academia De Ciencias Exactas, Fisicas Y Naturales. To appear.Google Scholar
  17. 17.
    Beckert B, Keller U, Schmitt PH (2002) Translating the Object Constraint Language into first-order predicate logic. In: Proceedings, VERIFY, Workshop at Federated Logic Conferences (FLoC), Copenhagen, Denmark. Available at∼key/doc/2002/ Scholar
  18. 18.
    Beckert B, Mostowski W (2003) A program logic for handling Java Card’s transaction mechanism. In: Pezzè M (ed) Proceedings, Fundamental Approaches to Software Engineering (FASE) Conference, LNCS, vol 2621. Warsaw, Poland. Springer, pp 246–260, AprilGoogle Scholar
  19. 19.
    Beckert B, Schlager S (2001) A sequent calculus for first-order dynamic logic with trace modalities. In: Gorè R, Leitsch A, Nipkow T (eds) Proceedings, International Joint Conference on Automated Reasoning, Siena, Italy, LNCS vol 2083. Springer, pp 626–641Google Scholar
  20. 20.
    Beckert B, Schlager S (2004) Software verification with integrated data type refinement for integer arithmetic. In: Proceedings, International Conference on Integrated Formal Methods, Canterbury, UK, LNCS. Springer. To appearGoogle Scholar
  21. 21.
    Beckert B, Schmitt PH (2003) Program verification using change information. In: Proceedings, Software Engineering and Formal Methods (SEFM), Brisbane, Australia. IEEE Press, pp 91–99Google Scholar
  22. 22.
    Boehm BW (1988) A spiral model of software development and enhancement. IEEE Computer 21(5):61–72CrossRefGoogle Scholar
  23. 23.
    Borland Together homepage. At Scholar
  24. 24.
    Breu R, Grosu R, Huber F, Rumpe B, Schwerin W (1997) Towards a precise semantics for object-oriented modeling techniques. In: Bosch J, Mitchell S (eds) Object-Oriented Technology, ECOOP’97 Post Conference Workshop Reader, Jyväskylä, Finland, LNCS, vol 1357. Springer-VerlagGoogle Scholar
  25. 25.
    Brucker AD, Wolff B (2002) HOL-OCL: Experiences, consequences and design choices. In: Jézéquel J-M, Hussmann H, Cook S (eds) UML 2002: Model Engineering, Concepts and Tools, LNCS, vol 2460. Springer-Verlag, pp 196–211Google Scholar
  26. 26.
    Bubel R, Hähnle R (2003) Formal specification of security-critical railway software with the KeY system. In: Arts T, Fokkink W (eds) Proceedings, Eighth International Workshop on Formal Methods for Industrial Critical Systems (FMICS), Electronic Notes in Theoretical Computer Science, vol 80. ElsevierGoogle Scholar
  27. 27.
    Chen Z (2000) Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. Java Series. Addison-Wesley, JuneGoogle Scholar
  28. 28.
    Cook S, Daniels J (1994) Designing Object Systems: Object-Oriented Modelling with Syntropy. The Object-Oriented Series. Prentice HallGoogle Scholar
  29. 29.
    Crocker D (2002) Perfect Developer: A tool for rigorous object-oriented software development. In: Clark T, Evans A, Lano K (eds) Proc. Fourth Workshop on Rigorous Object-Oriented Methods, LondonGoogle Scholar
  30. 30.
    Darvas A, Hähnle R, Sands D (2003) A theorem proving approach to analysis of secure information flow. In: Gorrieri R (ed) Workshop on Issues in the Theory of Security (WITS). IFIP WG 1.7, ACM SIGPLAN and GI FoMSESSGoogle Scholar
  31. 31.
    Dresden-OCL homepage. At Scholar
  32. 32.
    Evans A, Bruel J-M, France R, Lano K, Rumpe B (1998) Making UML precise. In: Andrade L, Moreira A, Deshpande A, Kent S (eds) Proceedings of the OOPSLA’98 Workshop on Formalizing UML. Why? How?Google Scholar
  33. 33.
    Finger F (2000) Design and implementation of a modular OCL compiler. Diplomarbeit, Technische Universität Dresden, Fakultät für Informatik, Mar.Google Scholar
  34. 34.
    Fowler M, Scott K (1997) UML Destilled. Applying the Standard Object Modeling Language. Addison-WesleyGoogle Scholar
  35. 35.
    France R (1999) A problem-oriented analysis of basic UML static requirements modeling concepts. In: Proceedings of the 1999 ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications. ACM Press, pp 57–69Google Scholar
  36. 36.
    Fujita H, Hasegawa R (1991) A model generation theorem prover in KL1 using a ramified-stack algorithm. In: Furukawa K (ed) Proceedings 8th International Conference on Logic Programming, Paris/France. MIT Press, pp 535–548Google Scholar
  37. 37.
    Gamma E, Helm R, Johnson R, Vlissides J (1995) Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading/MAGoogle Scholar
  38. 38.
    Giese M (2001) Incremental closure of free variable tableaux. In: Goré, R., Leitsch A, Nipkow T (eds) Proc. Intl. Joint Conference on Automated Reasoning (IJCAR), Siena, Italy, LNCS, vol 2083. Springer-Verlag, pp 545–560Google Scholar
  39. 39.
    Giese M (2003) Taclets and the KeY prover. In: Lüth C, Aspinall D (eds) Intl., Workshop on User Interfaces for Theorem Provers, UITP 2003, Rome, Italy. Arcane, Rome, pp 74–80. Also as Tech. Report 189, Inst. f. Informatik, Albert-Ludwigs-Universität, FreiburgGoogle Scholar
  40. 40.
    Habermalz E (2000) Interactive theorem proving with schematic theory specific rules. Technical Report 19/00, Fakultät für Informatik, Universität Karlsruhe. Available at∼key/doc/2000/ Scholar
  41. 41.
    Hähnle R, Johannisson K, Ranta A (2002) An authoring tool for informal and formal requirements specifications. In: Kutsche R-D, Weber H (eds) Fundamental Approaches to Software Engineering (FASE), Part of Joint European Conferences on Theory and Practice of Software, ETAPS, Grenoble, LNCS, vol 2306. Springer-Verlag, pp 233–248Google Scholar
  42. 42.
    Harel D (1984) Dynamic logic. In: Gabbay D, Guenthner F (eds) Handbook of Philosophical Logic, volume II: Extensions of Classical Logic, chapter 10. Reidel, Dordrecht, pp 497–604Google Scholar
  43. 43.
    Harel D, Kozen D, Tiuryn J (2000) Dynamic Logic. MIT PressGoogle Scholar
  44. 44.
    Holzmann GJ (2001) Economics of software verification. In: Proc., Workshop on Program Analysis for Software Tools and Engineering, Snowbird, Utah, USA, ACM, JuneGoogle Scholar
  45. 45.
    Hutter D, Langenstein B, Sengler C, Siekmann JH, Stephan W (1996) Deduction in the Verification Support Environment (VSE). In: Gaudel M-C, Woodcock J (eds) Proceedings, Formal Methods Europe: Industrial Benefits Advances in Formal Methods. SpringerGoogle Scholar
  46. 46.
    Jacobson I, Rumbaugh J, Booch G (1999) The Unified Software Development Process. Object Technology Series. Addison-Wesley, Reading/MAGoogle Scholar
  47. 47.
    JavaCC homepage. At Scholar
  48. 48.
    JUnit homepage. At Scholar
  49. 49.
    Keller U (2002) Übersetzung von OCL-Constraints in Formeln einer Dynamischen Logik für Java. Diplomarbeit, Fakultät für Informatik, Universität Karlsruhe. In GermanGoogle Scholar
  50. 50.
    Klebanov V (2003) Proof Re-Use in Java Software Verification. Diplomarbeit, Fakultät für Informatik, Universität KarlsruheGoogle Scholar
  51. 51.
    Kozen D, Tiuryn J (1990) Logics of programs. In: van Leeuwen J (ed) Handbook of Theoretical Computer Science, volume B: Formal Models and Semantics, chapter 14. The MIT Press, pp 789–840Google Scholar
  52. 52.
    Lano K, Clark D, Androutsopoulos K (2002) Formalising inter-model consistency of the UML. In: Kuzniarz L, Reggio G, Sourrouille JL, Huzar Z (eds) Blekinge Institute of Technology, Research Report 2002:06. UML 2002, Model Engineering, Concepts and Tools. Workshop on Consistency Problems in UML-based Software Development. Workshop Materials. Department of Software Engineering and Computer Science, Blekinge Institute of Technology, pp 133–148Google Scholar
  53. 53.
    Larsson D, Mostowski W (2004) Specifying Java Card API in OCL. In: OCL 2.0 Workshop at UML 2003, ENTCS. Elsevier. To appearGoogle Scholar
  54. 54.
    Mellor SJ, D’Souza D, Clark T, Evans A, Kent S (2001) Infrastructure and Superstructure of the Unified Modeling Language 2.0 (Response to UML2.0 RfP). Technical report, Submission to the OMGGoogle Scholar
  55. 55.
    Meyer B (1997) Object-Oriented Software Construction. Prentice-Hall, Englewood Cliffs, second editionGoogle Scholar
  56. 56.
    Mostowski W (2002) Rigorous development of JavaCard applications. In: Clark T, Evans A, Lano K (eds) Proc. Fourth Workshop on Rigorous Object-Oriented Methods, London. Available at∼woj/papers/ Scholar
  57. 57.
    Response to the UML OCL RfP (2002) June. OMG document ad/2002-05-09Google Scholar
  58. 58.
    Object Modeling Group (2003) Unified Modelling Language Specification, version 1.5, Mar.Google Scholar
  59. 59.
    Owre S, Rajan S, Rushby J, Shankar N, Srivas M (1996) PVS: Combining specification, proof checking, and model checking. In: Alur R, Henzinger TA (eds) Computer-Aided Verification, CAV ’96, LNCS, vol 1102. Springer-Verlag, pp 411–414, July/AugustGoogle Scholar
  60. 60.
    Paulson LC (1994) Isabelle: a generic theorem prover, LNCS, vol 828. Springer-VerlagGoogle Scholar
  61. 61.
    Pratt VR (1977) Semantical considerations on Floyd-Hoare logic. In: Proceedings, 18th Annual IEEE Symposium on Foundation of Computer ScienceGoogle Scholar
  62. 62.
    Recoder homepage. Scholar
  63. 63.
    Richters M (2002) A Precise Approach to Validating UML Models and OCL Constraints, BISS Monographs, vol 14. Logos Verlag. PhD thesis, Universität BremenGoogle Scholar
  64. 64.
    Roth A (2002) Deduktiver Softwareentwurf am Beispiel des Java Collections Frameworks. Diplomarbeit, Fakultät für Informatik, Universität Karlsruhe, June. In GermanGoogle Scholar
  65. 65.
    Schmitt PH (2001) A model theoretic semantics of OCL. In: Beckert B, France R, Hähnle R, Jacobs B (eds) Proceedings, IJCAR Workshop on Precise Modelling and Deduction for Object-oriented Software Development, Siena, Italy. Technical Report DII 07/01, Dipartimento di Ingegneria dell’Informazione, Università degli Studi di Siena, pp 43–57Google Scholar
  66. 66.
    Snook C, Wheeler P, Butler M (2003) Preliminary tool extensions for integration of UML and B. IST-2000-30103 project deliverable D4.1.2. Available at Scholar
  67. 67.
    Stenzel K (2001) Verification of java card programs. Technical report 2001-5, Institut für Informatik, Universität Augsburg, Germany. Available at Scholar
  68. 68.
    Sun Microsystems, Inc. (2001) Java Card 2.0 Language Subset and Virtual Machine Specification, Palo Alto/CA, Oct.Google Scholar
  69. 69.
    Sun Microsystems, Inc. (2002) Java Card 2.2 Platform Specification, Palo Alto/CA, USA, Sept.Google Scholar
  70. 70.
    von Oheimb D (2000) Axiomatic semantics for Javalight. In: Drossopoulou S, Eisenbach S, Jacobs B, Leavens GT, Müller P, Poetzsch-Heffter A (eds) Proceedings, Formal Techniques for Java Programs, Workshop at ECOOP’00, Cannes, FranceGoogle Scholar
  71. 71.
    von Oheimb D (2001) Analyzing Java in Isabelle/HOL. PhD thesis, Institut für Informatik, Technische Universität München, Jan.Google Scholar
  72. 72.
    Warmer J, Kleppe A (1999) OCL: The constraint language of the UML. Journal of Object-Oriented Programming, 12(1):10–13,28, Mar.Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  • Wolfgang Ahrendt
    • 1
    Email author
  • Thomas Baar
    • 2
  • Bernhard Beckert
    • 3
  • Richard Bubel
    • 4
  • Martin Giese
    • 1
  • Reiner Hähnle
    • 1
  • Wolfram Menzel
    • 4
  • Wojciech Mostowski
    • 1
  • Andreas Roth
    • 4
  • Steffen Schlager
    • 4
  • Peter H. Schmitt
    • 4
  1. 1.Department of Computing ScienceChalmers University of TechnologyGothenburgSweden
  2. 2.Software Engineering LaboratorySwiss Federal Institute of Technology in LausanneLausanne EPFLSwitzerland
  3. 3.Institute for Computer ScienceUniversity of Koblenz-LandauKoblenzGermany
  4. 4.Department of Computer ScienceUniversity of KarlsruheKarlsruheGermany

Personalised recommendations