Abstract
We give a language-based security treatment of domain-specific languages and compilers for secure multi-party computation, a cryptographic paradigm that. enables collaborative computation over encrypted data. Computations are specified in a core imperative language, as if they were intended to be executed by a trusted-third party, and formally verified against. an information-flow policy modelling (an upper bound to) their leakage. This allows non-experts to assess the impact of performance driven authorized disclosure of intermediate values. Specifications are then compiled to multi-party protocols. We formalize protocol security using (distributed) probabilistic information-flow and prove security-preserving compilation: protocols only leak what. is allowed by the source policy. The proof exploits a natural but previously missing correspondence between simulation-based cryptographic proofs and (composable) probabilistic non-interference. Finally, we extend our framework to justify leakage cancelling, a domain-specific optimization that allows to first write an efficient specification that fails to meet the allowed leakage upper-bound, and then apply a probabilistic preprocessing that brings leakage to the acceptable range.

Abstract
User centred design approaches typically focus understanding on context and producing sketch designs. These sketches are often non functional (e.g., paper) prototypes. They provide a means of exploring candidate design possibilities using techniques such as cooperative evaluation. This paper describes a further step in the process using formal analysis techniques. The sketch design of a device is enhanced into a specification that is then analysed using formal techniques, thus providing a systematic approach to checking plausibility and consistency during early design stages. Once analysed, a further prototype is constructed using an executable form of the specification, providing the next candidate for evaluation with potential users. The technique is illustrated through an example based on a pill dispenser. © Springer Nature Switzerland AG 2018.

Abstract
Alloy is a lightweight formal specification language, supported by an IDE, which has proven well-suited for reasoning about software design in early development stages. The IDE provides a visualizer that produces graphical representations of analysis results, which is essential for the proper validation of the model. Alloy is a rich language but inherently static, so behavior needs to be explicitly encoded and reasoned about. Even though this is a common scenario, the visualizer presents limitations when dealing with such models. The main contribution of this paper is a principled approach to generate instance visualizations, which improves the current Alloy Visualizer, focusing on the representation of behavior.

Abstract
Alloy supports reasoning about software designs in early development stages. It is composed of a modelling language and a tool that is able to find valid instances of the model. Alloy is able to produce graphical representations of analysis results, which is essential for their interpretation. In previous work we have improved the representations with the usage of layout managers. Here, we further extend that work by presenting the improvements on the approach, and by introducing a new case study to analyse the contribution of layout managers, and to support validation trough a user study.

Abstract
Interface design flaws are often at the root cause of use errors in medical devices. Medical incidents are seldom reported, thus hindering the understanding of the incident contributing factors. Moreover, when dealing with a use error, both novices and expert users often blame themselves for insufficient knowledge rather than acknowledge deficiencies in the device. Simulation-Based Medical Education (SBME) platforms can provide appropriate training to professionals, especially if the right incentives to keep training are in place. In this paper, we present a new SBME, particularly targeted at training interaction with medical devices such as ventilators and infusion pumps. Our SBME functions as a game mode of the PVSio-web, a graphical environment for design, evaluation, and simulation of interactive (human-computer) systems. An analytical evaluation of our current implementation is provided, by comparing the features on our SBME with a set of requirements for game-based medical simulators retrieved from the literature. By being developed in a free, open source platform, our SBME is highly accessible and can be easily adapted to specific use cases, such a specific hospital with a defined set of medical devices.

Abstract
The IVY workbench is a model checking based tool for the analysis of interactive system designs. Experience shows that there is a need to complement the analytic power of model checking with support for model validation and analysis of verification results. Animation of the model provides this support by allowing iterative exploration of its behaviour. This paper introduces a new model animation plugin for the IVY workbench. The plugin (AniMAL) complements the modelling and verification capabilities of IVY by providing users with the possibility to interact directly with the model.