Alessandro Fantechi, Stefania Gnesi, Franco Mazzanti, Rosario Pugliese, and Enrico Tronci. "A Symbolic Model Checker for ACTL." In International Workshop on Current Trends in Applied Formal Method (FMTrends), edited by D. Hutter, W. Stephan, P. Traverso and M. Ullmann, 228–242. Lecture Notes in Computer Science 1641. Boppard, Germany: Springer, 1998. ISSN: 3540664629. DOI: 10.1007/3540482571_14.
Abstract: We present SAM, a symbolic model checker for ACTL, the actionbased version of CTL. SAM relies on implicit representations of Labeled Transition Systems (LTSs), the semantic domain for ACTL formulae, and uses symbolic manipulation algorithms. SAM has been realized by translating (networks of) LTSs and, possibly recursive, ACTL formulae into BSP (Boolean Symbolic Programming), a programming language aiming at defining computations on boolean functions, and by using the BSP interpreter to carry out computations (i.e. verifications).

I. Melatti, F. Mari, T. Mancini, M. Prodanovic, and E. Tronci. "A TwoLayer NearOptimal Strategy for Substation Constraint Management via Home Batteries." IEEE Transactions on Industrial Electronics (2021): 1. Notes: To appear. DOI: 10.1109/TIE.2021.3102431.
Abstract: Within electrical distribution networks, substation constraints management requires that aggregated power demand from residential users is kept within suitable bounds. Efficiency of substation constraints management can be measured as the reduction of constraints violations w.r.t. unmanaged demand. Home batteries hold the promise of enabling efficient and useroblivious substation constraints management. Centralized control of home batteries would achieve optimal efficiency. However, it is hardly acceptable by users, since service providers (e.g., utilities or aggregators) would directly control batteries at user premises. Unfortunately, devising efficient hierarchical control strategies, thus overcoming the above problem, is far from easy. We present a novel twolayer control strategy for home batteries that avoids direct control of home devices by the service provider and at the same time yields nearoptimal substation constraints management efficiency. Our simulation results on field data from 62 households in Denmark show that the substation constraints management efficiency achieved with our approach is at least 82% of the one obtained with a theoretical optimal centralized strategy.

Franco Barbanera, Mariangiola DezaniCiancaglini, Ivano Salvo, and Vladimiro Sassone. "A Type Inference Algorithm for Secure Ambients." Electronic Notes in Theoretical Computer Science 62 (2002): 83–101. Elsevier. Notes: TOSCA 2001, Theory of Concurrency, Higher Order Languages and Types. DOI: 10.1016/S15710661(04)003214.
Abstract: We consider a type discipline for the Ambient Calculus that associates ambients with security levels and constrains them to be traversed by or opened in ambients of higher security clearance only. We present a bottomup algorithm that, given an untyped process P, computes a minimal set of constraints on security levels such that all actions during runs of P are performed without violating the security level priorities. Such an algorithm appears to be a prerequisite to use type systems to ensure security properties in the web scenario.

Corrado BÃ¶hm, and Enrico Tronci. "About Systems of Equations, XSeparability, and LeftInvertibility in the lambdaCalculus." Inf. Comput. 90, no. 1 (1991): 1–32. DOI: 10.1016/08905401(91)900579.

Andrea Bobbio, Sandro Bologna, Michele Minichino, Ester Ciancamerla, Piero Incalcaterra, Corrado Kropp, and Enrico Tronci. "Advanced techniques for safety analysis applied to the gas turbine control system of Icaro co generative plant." In X Convegno Tecnologie e Sistemi Energetici Complessi, 339–350. Genova, Italy, 2001.
Abstract: The paper describes two complementary and integrable approaches, a probabilistic one and a deterministic one, based on classic and advanced modelling techniques for safety analysis of complex computer based systems. The probabilistic approach is based on classical and innovative probabilistic analysis methods. The deterministic approach is based on formal verification methods. Such approaches are applied to the gas turbine control system of ICARO co generative plant, in operation at ENEA CR Casaccia. The main difference between the two approaches, behind the underlining different theories, is that the probabilistic one addresses the control system by itself, as the set of sensors, processing units and actuators, while the deterministic one also includes the behaviour of the equipment under control which interacts with the control system. The final aim of the research, documented in this paper, is to explore an innovative method which put the probabilistic and deterministic approaches in a strong relation to overcome the drawbacks of their isolated, selective and fragmented use which can lead to inconsistencies in the evaluation results.

T. Mancini, F. Mari, I. Melatti, I. Salvo, and E. Tronci. "An Efficient Algorithm for Network Vulnerability Analysis Under Malicious Attacks." In Foundations of Intelligent Systems – 24th International Symposium, ISMIS 2018, Limassol, Cyprus, October 2931, 2018, Proceedings, 302–312., 2018. Notes: Best Paper. DOI: 10.1007/9783030018511_29.

R. Ehrig, T. Dierkes, S. Schaefer, S. Roeblitz, E. Tronci, T. Mancini, I. Salvo, V. Alimguzhin, F. Mari, I. Melatti et al. "An integrative approach for model driven computation of treatments in reproductive medicine." In Proceedings of the 15th International Symposium on Mathematical and Computational Biology (BIOMAT 2015), Rorkee, India., 2015. DOI: 10.1142/9789813141919_0005.

T. Mancini, I. Melatti, and E. Tronci. "Anyhorizon uniform random sampling and enumeration of constrained scenarios for simulationbased formal verification." IEEE Transactions on Software Engineering (2021): 1. ISSN: 19393520. Notes: To appear. DOI: 10.1109/TSE.2021.3109842.
Abstract: Modelbased approaches to the verification of nonterminating CyberPhysical Systems (CPSs) usually rely on numerical simulation of the System Under Verification (SUV) model under input scenarios of possibly varying duration, chosen among those satisfying given constraints. Such constraints typically stem from requirements (or assumptions) on the SUV inputs and its operational environment as well as from the enforcement of additional conditions aiming at, e.g., prioritising the (often extremely long) verification activity, by, e.g., focusing on scenarios explicitly exercising selected requirements, or avoiding </i>vacuity</i> in their satisfaction. In this setting, the possibility to efficiently sample at random (with a known distribution, e.g., uniformly) within, or to efficiently enumerate (possibly in a uniformly random order) scenarios among those satisfying all the given constraints is a key enabler for the practical viability of the verification process, e.g., via simulationbased statistical model checking. Unfortunately, in case of nontrivial combinations of constraints, iterative approaches like Markovian random walks in the space of sequences of inputs in general fail in extracting scenarios according to a given distribution (e.g., uniformly), and can be very inefficient to produce at all scenarios that are both legal (with respect to SUV assumptions) and of interest (with respect to the additional constraints). For example, in our case studies, up to 91% of the scenarios generated using such iterative approaches would need to be neglected. In this article, we show how, given a set of constraints on the input scenarios succinctly defined by multiple finite memory monitors, a data structure (scenario generator) can be synthesised, from which anyhorizon scenarios satisfying the input constraints can be efficiently extracted by (possibly uniform) random sampling or (randomised) enumeration. Our approach enables seamless support to virtually all simulationbased approaches to CPS verification, ranging from simple random testing to statistical model checking and formal (i.e., exhaustive) verification, when a suitable bound on the horizon or an iterative horizon enlargement strategy is defined, as in the spirit of bounded model checking.

T. Mancini, F. Mari, A. Massini, I. Melatti, and E. Tronci. "Anytime system level verification via parallel random exhaustive hardware in the loop simulation." Microprocessors and Microsystems 41 (2016): 12–28. ISSN: 01419331. DOI: 10.1016/j.micpro.2015.10.010.
Abstract: Abstract System level verification of cyberphysical systems has the goal of verifying that the whole (i.e., software + hardware) system meets the given specifications. Model checkers for hybrid systems cannot handle system level verification of actual systems. Thus, Hardware In the Loop Simulation (HILS) is currently the main workhorse for system level verification. By using model checking driven exhaustive HILS, System Level Formal Verification (SLFV) can be effectively carried out for actual systems. We present a parallel random exhaustive HILS based model checker for hybrid systems that, by simulating all operational scenarios exactly once in a uniform random order, is able to provide, at any time during the verification process, an upper bound to the probability that the System Under Verification exhibits an error in a yettobesimulated scenario (Omission Probability). We show effectiveness of the proposed approach by presenting experimental results on SLFV of the Inverted Pendulum on a Cart and the Fuel Control System examples in the Simulink distribution. To the best of our knowledge, no previously published model checker can exhaustively verify hybrid systems of such a size and provide at any time an upper bound to the Omission Probability.
Keywords: Model Checking of Hybrid Systems; Model checking driven simulation; Hardware in the loop simulation

Toni Mancini, Federico Mari, Annalisa Massini, Igor Melatti, and Enrico Tronci. "Anytime System Level Verification via Random Exhaustive Hardware In The Loop Simulation." In In Proceedings of 17th EuroMicro Conference on Digital System Design (DSD 2014)., 2014. DOI: 10.1109/DSD.2014.91.
