psk_rnks_20_Oct_09

Document Sample
psk_rnks_20_Oct_09 Powered By Docstoc
					                  Brandenburg Technical University Cottbus

                         Chair of Computer Networks and
                            Communication Systems




          Component-Based Protocol Design Verification
                    Using Model Checking




                                     Prabhu. S. Kaliappan
                           Ph.D Student (International Graduate School)




                                                                                     20 Oct 2009

BTU Cottbus, LS Rechnernetze und Kommunikationssysteme, Lehrstuhlinhaber: Prof. Dr.-Ing. H. König
           03013 Cottbus, Postfach 10 13 44,Telefon: 0355/69-2236 Fax: 0355/69-2127
Work Focus (1)




Communications protocol
                                    User A                  User B
              Service



                                     communication channel
              Protocol   Entity -                                     Entity -
                                             Data Packets
                         Sender                                      Receiver



                                                                                 2
       Work Focus (2)

      Model-driven approach
            UML Sequence diagram (message communication)
            UML Activity diagram (message behavior)

                                                                                                        Entity A                                         Entity B


                                                      Accept the           SRequ_1, SDU                            Receive the PDU       DT_1, PDU
                                                      service data

Requester                                 Responder
                                                      Pack as PDU                                                  Unpack PDU as
                                                                           DT_1, pack                                                   DT_1, upack
                                                                                                                   service data

                Entity A    Entity B
                                                      Transfer the          DT_1, PDU                              Release the          SRequ_1, SDU
                                                      PDU                                                          service data
              SRequ
                       DT
                                  SRequ                                             ttimeout, SAbort
                                                      Accept wait timer                                            Accept the service
                                                      timeout: t=0;                                                data                 SResp_1, SDU
                                                      receive PDU: ACK_1
                                                                                  tstart, ACK_1
                                  SResp
              t=3*d
                            CON                       Unpack PDU       ACK_1, upack                                Pack as PDU          ACK_1, pack
               SResp                                  as SDU


              SAbort                                  Release the
                                                      service data         SResp_1, SDU           SAbort, SDU      Transfer the PDU     ACK_1, PDU


                                                                                connected              abort
                                                                                                                                             connected


               Connection establishment
      Component-based protocol design                                                     Connection establishment

            Reusability


                                                                                                                                                         3
Work Focus (3)
Presentation Interface
 Interaction Overview diagram                                                                                                                                          Activiy: Entity B

                                                                                                                                                    Activiy: Entity A


    Requester                                      Responder                                                                                                                                   Entity A


                  Entity A    Entity B                                                                                                                Accept the service   <<SRequ

                SRequ
                         DT                                                                                                                          Component A
                                                                                                                                                      signal (SDU)




      Component A
                t=3*d
                              CON
                                    SRequ

                                    SResp
                                                                                                                                                      Pack as PDU           (DT)



                 SResp
                                                                                                                                                      Transfer the PDU      >>DT
                SAbort


                                                                                                                                                                                     t=0
                                                                                                                                                      Accept wait timer
                                                                                                                                                      timeout: t=0;
                                                                                                                                                      receive PDU: <<CON
                                                                                                                                                                               <<CON

                                                                                                                                                      Unpack PDU           )CON(
                                                                                                                                                      as SDU


                                                                                                                                                      Release the                                          Receive the PDU      <<DT
                                                                                                                                                                           >>SResp         >>SAbort


                                                                                                                                                                                                          Component B
                                            Requester                                            Responder                                            service signal
                                                                                                                                                      (SDU)

                                                                                                                                                                                                           Unpack PDU as
                                                                 Entity A   Entity B                                                                                                                       SDU
                                                                                                                                                                                                                                 )DT(

                                                               SRequ
                                                                       DT


                                                Component B                 ACK
                                                                                  SRequ

                                                                                  SResp
                                                                                                                                                                                                           Release the
                                                                                                                                                                                                           service signal
                                                                                                                                                                                                           (SDU)
                                                                                                                                                                                                                                >>SRequ




                                                               SResp                                                                                                                                       Accept the service
                                                                                                                                                                                                           Signal (SDU)         <<SResp




                                                                                                                                                                                                           Pack as PDU           (CON)




                                                                                                                                                                                                           Transfer the PDU      >>CON
                                                                                                                                                                                                                                           Receive the PDU      <<DT


                                                                                                                                                                                                                                          Component C
                                                                                                                                                                                                                                           Unpack PDU as
                                                                                                                                                                                                                                           SDU
                                                                                                                                                                                                                                                                 )DT(
                                                                                          Requester                                     Responder

                                                                                                                                                                                                                                           Release the          >>SRequ
                                                                                                               Entity A   Entity B                                                                                                         service signal
                                                                                                                                                                                                                                           (SDU)
                                                                                                             SRequ


                                                                                               Component C           DT




                                                                                                                          ACK
                                                                                                                                SRequ

                                                                                                                                SResp
                                                                                                                                                                                                                                           Accept the service
                                                                                                                                                                                                                                           Signal (SDU)         <<SResp



                                                                                                             SResp                                                                                                                                               (CON)
                                                                                                                                                                                                                                           Pack as PDU




                                                                                                                                                                                                                                           Transfer the PDU      >>CON




                Communication perspective                                                                                                             Behavior perspective




                                                                                                                                                                                                                                                                          4
XDT Protocol Specification




                                                                Entity A




                              How to verify!

(Communication perspective)            (Behavior perspective)   Entity B
   Session outline


1. Introduction

2. Motivation

3. Component-Based Design

4. Component-Based Verification

5. Summary




                                  6
    Introduction   Motivation           Design                   Verification           Summary


1. Introduction
                                                                                             A - Connect
                                                                                             B - Data transfer
                                                                                             C - Release
Protocol verification                                               start
    Safety (nothing bad happens)
         Deadlock                                                       A           B
         Invariants                                                                              C         end
            ☞Assertion, a value does not change until end of the
               protocol cycle (e.g. destination address)

    Liveness (something eventually good happens)                        start
         Response
            ☞A successful connection set up should lead an                      A        B
               eventual data transfer                                                                  C
         Precedence
            ☞A successful connection set up should lead an                                                 end
               eventual data transfer until connection release
                                                                        start

                                                                                A        B
Applicable through                                                                                     C
    Final state is reachable!
    Final state is unreachable                                                                             end
         By assumption

                                                                                                       7
     Introduction       Motivation              Design                       Verification                     Summary


2. Motivation

Problems in component-based protocol design verification
     Components                                                                                                         A
            Known behaviors (desired)
            Unknown behaviors (assumption)                                                                                  B
                ☞Not possible to verify before compositions
                ☞For example, go_back_n in the XDT protocol (sequence numbers)
     Compositions
            Component adaptations can be guaranteed for desired behavior
            Dynamic compositions cannot be guaranteed
                                                                         A                                              B       C
            Compositions are not proven for Liveness
                ☞Component A preceds B, B preceds C
Need to address                                                                                                  A      B       C
     Components
                                                                                                                                D
            During modeling, not after modeling.
                                                                                                                        E
     Compositions
            During adaptations, not after adaptations.                                                                          F


A – Data transfer, B – Ack handler, C – End of transfer, D – go_back_n, E – timeout, F – Connection Release                 8
                 Introduction           Motivation             Design              Verification                Summary


     3. Component-Based Design (1)

     Components                                                          Component semantics
                 UML activity diagram                                             Compositional cTLA             // Herrmann et al.

                                                    Entity A
                                                                        A. PROCESS ConEst_Entity_A(Entity_B)
                                                                        B. VARIABLES PSS: {“connected”, “abort”};
  Accept the
  service data
                       SRequ_1, SDU
                                                                        C. INIT   Δ   PSS = NULL;
                                                                        D. PROCESSES
  Pack as PDU          DT_1, pack                                       In:Initial(AT:Tvalue);
                                                                        Awt:AcceptEvent(AT:Tvalue);
                                                                        Act:Action(AT:Tvalue,ATT:Tvalue);
                                                                        Sen:Send(AT:Tvalue);
  Transfer the          DT_1, PDU
                                                                        Awt:AcceptWait(AT:Tvalue,WTT:Tvalue);
  PDU                                                                   Fi:Final(AT:Tvalue);

                                                                        E. ACTIONS
                                ttimeout, SAbort
  Accept wait timer
  timeout: t=0;                                                         con(du :SDU)Δ
  receive PDU: ACK_1                                                    (In.start( 0)∧
                              tstart, ACK_1                              Acc.accept (SRequ_1, SDU) ∧
                                                                         Act.execut e(DT_1, pack) ∧
  Unpack PDU         ACK_1, upack                                       Sen.send(D T_1,PDU) ∧
  as SDU                                                                 Awt.timer( ACK_1 |SAbort, tstart |timeout) ∧
                                                                        (Act.execu te(ACK_1, upack) ∧
                                                                        Sen.send(S Resp_1, SDU) ∧
  Release the
                       SResp_1, SDU           SAbort, SDU               Fi.stop(co nnected,1) ∧
  service data                                                          ⇒ PSS ="connected" ∨
                                                                        Sen.send(S Abort, SDU) ∧
                            connected              abort                Fi.stop(ab ort,1) ∧
                                                                        ⇒ PSS' ="abort" ));

                                                                        F. END

A Successful connection establishment
component for communications protocol

// Herrmann, P.; Krumm, H.: A Framework for Modeling Transfer Protocols. In: Computer Networks 34, 2000, pp. 317-337          9
    Introduction   Motivation         Design                 Verification                    Summary


3. Component-Based Design (2)

                                                                Deterministic component
Notations                                                       [known input and known output]


                                                                Non-deterministic component
Deterministic component                                         [known input and unknown outputs]

    Desired behavior
                                                                Event to fork/join multiple components
         Connection establishment                               [unknown input and unknown output]
         component, etc.
                                                                Control lines
Non-deterministic component
                                               C1: Connection set up
    Assumption-based behavior                  E1: User-defined (fork)
                                               C2: Data transfer
         Ack handler, etc.                     C3: Ack handler
                                               E2: User-defined (Exception)
                                               C4: Connection release
                                                                                                 C3
User-defined events
    Assumptions
         Decision, fork, join, etc.                    C1           E1          C2               E2      C4


Control link
                                                   The example data transfer (XDT) protocol (sender)
                                                                 (Modified version)
                                                                                                         10
                Introduction    Motivation         Design        Verification          Summary


        3. Component-Based Design (3)


        Design adaptations
                                                                                         C1       C2        C5
input
                                C2
                                                                 valid                   C3       C4        C6
                C1                           C4             C5   output
                                                                                           Component
                                                                                            repository
 Independent                     Protocol design
 component                       verification
 verification
                                                                                     C1: Connection set up
                                                                                     E1: User-defined (fork)
input                                                                                C2: Data transfer
                                                   C3                                C3: Ack handler
                                                                 valid               E2: User-defined (Exception)
                                                                 path and output ?   C4: Connection release

                 C1        E1         C2           E2       C4    Known input and known output

                                                                 Known input and unknown output


How to guarantee the design correctness, if a component is modeled as an assumption!                   11
    Introduction       Motivation   Design                     Verification                    Summary


4. Component-Based Verification (1)

                                               1                                                    2
                                    Verification model             Verification             Design error
                                      transformation                 model
    Design components
                                                                                          Interactive
               uses                                  success                              Verification
                                           3                                                        4
                                    Verification property          Assumption
                                                                                           Property check
                                       formulization                properties
   Protocol specification



Model transformation (1)                           Property formulation (3)
    The Spin model checker                                Component behaviors
          Process meta language                                 General properties
          http://spinroot.com                                       ☞ Invariant, response, precedence, etc.
                                                                Special properties
                                                                    ☞ Objective (to check whether the
                                                                       protocol fulfills the service or not).
Design errors (2)                                               Through Linear Temporal Logic (LTL)
    Safety properties                              Property check (4)
          Deadlock                                        Liveness properties
          Invariants
                                                                Precedence
                                                                Response


                                                                                                                12
   Introduction                Motivation         Design             Verification             Summary


4. Component-Based Verification (2)

Incremental verification
   To identify the design errors we apply (2)
        Component verification
                          ☞While component modeling
        Composition verification
                          ☞While component adaptations

   Property verification
        Safety, Liveness properties from the components, compositions


                                                        Design
        UML Design
                                    Properties    Assumptions                   Confirmed
          Model
          Transfomation




                                     Property                      Spin        Verification
                                    Formulation                    model         Result
                                                                  checker


         Verification              Verification    Verification
                                                                              Not Confirmed
           Model                    Properties
                                                                                                        13
           Introduction            Motivation            Design                           Verification   Summary


4. Component-Based Verification (3)
Component verification (while component modeling)

                    Design Component                                 1. Correct behavior
                                                                     2. Fault behavior
   1

Independent No                               Apply
Component                                 Assumptions            Non-deterministic component
                                                                 [known input and unknown output]
                               5
       2    Yes                            Property
                           A
                                          Formulation
                                                                       LTL Properties
                                              6
Verification
  Model
       3


  Basic                                    Advanced
Verification                              Verification
       4                                      7
                                                                 Deterministic component
                                                                 [known input and known output]
                   Success
Verification           A
                                          Verification Success
  Result                                    Result
            Fail                                  Fail                LTL Properties

                   Verification Results                                     Component Behaviors – Local properties

                                           :Always, ◊:Eventually, →: Implies, υ: Until, ∨: Or, ∧: And
                                                                                                                   14
                      // LTL Notations:
      Introduction                 Motivation                 Design                     Verification          Summary


4. Component-Based Verification (4)
                                                                               Example
                                                   Entity A                           Promela transformation
 Accept the
                                                                                      Validate through Spin model
                      SRequ_1, SDU
 service data
                                                                                      checker
 Pack as PDU          DT_1, pack

                                                                                      Correct behavior
 Transfer the
 PDU
                       DT_1, PDU                                                             “ DT_1→◊ACK_1”
                                                                                             Always data with sequence
                               ttimeout, SAbort
 Accept wait timer
 timeout: t=0;
                                                                                             number 1 implies eventually
 receive PDU: ACK_1
                             tstart, ACK_1                                                   acknowledgement with
 Unpack PDU       ACK_1, upack
                                                                                             sequence number 1.
 as SDU


 Release the
 service data         SResp_1, SDU           SAbort, SDU                              Fault behavior
                           connected              abort                                      “ timeout→◊SAbort”
                                                                                             Always timeout implies
                                                                                             eventually abort
Connection establishment component




                                              :Always, ◊:Eventually, →: Implies, υ: Until, ∨: Or, ∧: And
                                                                                                                           15
                  // LTL Notations:
   Introduction   Motivation   Design                Verification                     Summary


4. Component-Based Verification (5)

Composition verification (while component adaptation)
   Consistency, Correctness
                                              a.)        C1              C2             C3
Consistency                                         o/p: success     i/p: success     i/p: success
   Deterministic component                                           o/p: success

        Known Input, known output             b.)
                                                          C1              C2            C3
        Behavioral mapping
                                                     o/p: fail       i/p: success     i/p: success
                                                                     o/p: success

   Non-deterministic component
        Assumption                            c.)          C1              C2             C3

                                                      o/p: success     i/p: success     i/p: success
                                                                       o/p: unknown     o/p: unknown
Correctness
   Trace generation
        Path to be traversed in composition
        Next slide please!


                                                                                                       16
                             Introduction         Motivation         Design                     Verification                 Summary


                      4. Component-Based Verification (6)
                                                                                                                      C1: Connection set up
                Design steps                     Component trace         Design trace
                                                                                                                      E1: User-defined (fork)
1. Component C1 placed                                                                                                C2: Data transfer
                                                       C1           C1         (from step 1)                          C3: Ack handler
                C1
                                                                   C1→◊E1      (from step 2)                          E2: User-defined (Exception)
                                                                                                                      C4: Connection release
2. User-defined event E1 placed
                                                                   ◊E1          (from step 2)                                          C3
                                                      ◊E1          E1→◊C2       (from step 3)
            C1         E1
                                                                   E1→◊C3       (from step 4)
                                                                                                                C1      E1      C2     E2        C4
3. Component C2 placed
                                                      ◊C2          ◊C2         (from step 3)
           C1         E1          C2
                                                                   C2→◊E2      (from step 5)                     The XDT protocol (sender)

4. Component C3 placed
                                       C3                          ◊C3          (from step 4)
                                                      ◊C3          C3→◊E2       (from step 5)
      C1         E1         C2
                                                                   C3→◊C4       (from step 6)                  Component trace
5. User-defined event E2 placed                                                                                      Execution behavior
                                                                   ◊E2          (from step 5)
                                       C3
                                                                   E2 →◊C1      (from step 5)
                                                                                                               Design trace
                                                      ◊E2          E2 →◊C4      (from step 6)                        Protocol design
      C1         E1         C2         E2
                                                                                                                     behavior
6. Component C4 placed                                                                                         Global properties
                                                                   ◊C4          (from step 6)
                                 C3

                                                      ◊C4
 C1        E1         C2         E2         C4                                                                                              17
   Introduction   Motivation   Design         Verification           Summary


4. Component-Based Verification (7)

                                                                   Design
Property verification (1)                                           Model


Protocol design onto Promela
                                                                   PROMELA

Local properties
                                                                            Global properties
   Independent component verification           Local properties

                                                                    Spin
Global properties
   Dependent component verification
   Protocol design correctness verification                    Verification
                                                                 Results




                                                                                   18
     Introduction   Motivation        Design   Verification             Summary


4. Component-Based Verification (8)
Property verification (2)

                                                     Local properties
                                 C3
                                                              Independent component
                                                              Component correctness
C1        E1        C2           E2      C4




                                                     Global properties
                                                              External behaviors of the
                                 C3                           component
                                                              Correct and faulty
C1       E1         C2           E2     C4                    behavior can be checked
                                                              Protocol design
                                                              correctness
                                                              Protocol design
                                                              completeness


                                                                                  19
   Introduction   Motivation       Design               Verification        Summary


5. Summary

Incremental verification
    Independent component verification
        Behaviors as local properties
    While component adaptation
        Consistency check
        Generated a trace based on the temporal events
        Behaviors as global properties
    Which guarantees
        Consistency (adaptation check)
        Completeness (all components literally reached or not)
        Correctness (local and global (behavioral) property verification)

Not Addressed in this talk!
    Promela Transformation
        Model transformation is possible using component syntax and semantics mapping
    Property formulation
        Automatic method to derive response properties
        General properties and special properties



                                                                                        20
                  Brandenburg Technical University Cottbus

                         Chair of Computer Networks and
                            Communication Systems




                                     Thank you ...




                    Questions are guaranteed in life, but answers aren“t!




                                                                              To be continued...

BTU Cottbus, LS Rechnernetze und Kommunikationssysteme, Lehrstuhlinhaber: Prof. Dr.-Ing. H. König
           03013 Cottbus, Postfach 10 13 44,Telefon: 0355/69-2236 Fax: 0355/69-2127

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:11/17/2012
language:English
pages:21