protocol verification & protocol validation. protocol verification communication protocols...
TRANSCRIPT
PROTOCOL VERIFICATION & PROTOCOL VALIDATION
Protocol Verification
• Communication Protocols should be checked for correctness , robustness and performance, interoperability etc.
• These methods reduce the complexity in eliminating ambiguity and preparing more structured protocols.
• Programs that implement protocols must cope with asynchronous computing programs, hence exhibit extremely complicated behaviour.
• Protocol verification, verifies correctness of liveness and safety property of a given protocol specification.
Properties of Verification
Need to check for correctness of: Safety and Liveness Property
BAD THINGS WILL NOT HAPPEN
Non-violation of assertions (operation that take place in a protocol)
Invariants(Constant parameters used in a protocol)
Example Safety property of ABP:Sender ensures that data with correct seq.no. is sent to the receiver even
though the data is lost in channel.
Receiver ensures that an ack. Is sent to the sender even if the sent ack is lost in channel.
Receiver never delivers two odd packets.
Safety Properties
Liveness Properties
• GOOD THINGS WILL HAPPEN– Termination of protocol– Recurrent property (for non terminating protocol)– Liveness Properties of ABP are:– The protocol terminates correctly. All the seq.msg,
with seq no. 0 and 1 have been transmitted and received by the receiver process.
The Alternating Bit Protocol as CFSMs
• The Alternating Bit Protocol is used to guarantee the correct data delivery between a sender and receiver connected by an error channel that loses or corrupts messages.
• It got the name since it uses only one additional control bit in the message and this control bit only alternates when the previous message is correctly received.....
FSM in Protocol Verification
The protocol entities are considered to have the following states and transitions:sender: it has two states0 (transmitting frame with sequence number 0) and
1 (transmitting frame with sequence number 1)
receiver: it has two states0 (expecting frame with sequence number 0) and
1 (expecting frame with sequence number 1)
channel: it has four states, 0 (channel contains frame with sequence number 0).
1 (channel contains frame with sequence number 1),
A (channel contains an acknowledgement from the receiver), and empty '-' state (channel does not have any data).
Verification of ABP
Alternating bit protocol
Even under condition of frame and ack. Loss and the protocol returns to its terminator state.
Terminator state is a state of a system whose occurrence means all the specified messages have been transmitted and received correctly.
Proof of liveness properties
Normal Operation of protocol
• Transitions are repeated in order over and again.• In each cycle two packets are delivered to bring the
sender back to initial state of trying to send a new frame with seq no.0,
• Proof of Safety properties:• Handling of lost frames, transition of states are done.
Eventually the sender times out and system moves to initial state.
• Handling of an ack. Transition are states are done to repair the damage caused.
Protocol Validation
Definition:
Protocol validation is a method of checking whether the interactions of protocol entities or according to the protocol specification.
satisfy certain properties or conditions which may be either general or specific to the particular protocol system directly derived from the specifications.
Validation sometimes refers to check the protocol specification such that it will not get into protocol design errors like deadlock, unspecified receptions, and livelock errors.
Protocol Design Errors
State deadlocks
Unspecified receptions
Non-executable interactions
State ambiguity of a protocol
Unboundedness of a protocol
Lack of adaptation in a protocol
Livelocks
Protocol Design Errors
• Non-executable interaction: This is design error, if occurs, which may lead to unreachable or unexecutable code in the protocol.
• Unspecified reception: An incomplete specification of protocol . It causes unspecified reception during its execution.
• Unboundedness of protocol: Design error causes overflowing of known system limits such as limited capacity of message queues.
• State Ambiguity: This is transient error which arbitrarily changes the protocol states.
• Lack of adaptation: Leads the protocol for huge loss of data, heavy buffer space requirement, high BW requirements, etc.,
• State Deadlock: No further protocol execution is possible. Eg. All process are waiting for conditions that can never be fulfilled.
• Livelocks: The protocol execution sequences that can be repeated indefinitely often without ever making effective progress.
CFSM: Communicating Finite State Machines
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
CFSMCommunicating Finite State MachineIs represented by states and transitionsand connected to channels.Here sender machine has two channels: C1 and C2. Channel are assumed to be FIFO. C1 is the outgoing channel for sender.C2 is the incoming channel for sender.When the sending transition of sender fires,It sends the msg in transition label to the outgoing channel.The receiving transition can only occurs if there is a msg of the same type in the head of CFSM’s incoming channel.
CFSM
1
-R
2
Initial node with double circle, every CSFM only has one initial state
State of a CFSM
Transition of a CFSM- sign in label sending+ sign in label receivingstring after signmsg typeThis transition sends msg R to the CFSM’s outgoing channel.It can also be represented as (1, 2, -R)
1
2
Operation of CFSMC1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
current state
When the network starts, the current states of both machines are set at their initial states.Receiver at state 1 can not fire the outgoing transition (1, 2, +R)Sender at state 1 can fire the outgoing transition (1, 2, -R), and result in current state of sender changed to 2 and msg R is put in channel C1. C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1R
Operation of CFSM: Step 2
• Now sender at state 2 has (2,1,+A) as its outgoing transition. There is no msg A in C2, therefore this receiving transition cannot be fired. It waits.
• Receiver at state 1 checks its outgoing receiving transition (1,2,+R) and found the msg label matched with the msg in the head of C1. It fires the transition, takes in the msg R (removes from C1) and changes its current state to state 2.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1R
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
Operation of CFSM: Step 4
• Now sender still at state 2 has (2,1,+A) as its outgoing transition. There is no msg A in C2, therefore this receiving transition cannot be fired. It waits.
• Receiver at state 2 checks its outgoing sending transition (1,2,-A). It fires the transition, put msg A in C2, and changes its current state to state 2.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
A
Operation of CFSM: Step 5
• Receiver at state 1 checks its outgoing sending transition (1,2,+R). There is no msg R in C1. It waits.
• Now sender at state 2 has (2,1,+A) as its outgoing transition. There is a msg A in C2, therefore this receiving transition can be fired. It reads in A (remove from C2) and changes state to 1. Now Both machines get back to their initial states.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
A
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
What could happen next?
• In CFSM model, we assume only one transition can be fired in a time. No two simultaneous firing.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
Sender: (1,2,-R)Receiver: (2,1,-A)
R
A
What could happen next?
• Sender cannot move.• Receiver can either receive msg R or send msg B.• How many msgs can be in C1 for this network? How
about C2?
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
-BR
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
-BR
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
-B
Receiver: (1,2,+R) Receiver: (1,2,-B)
B
What could happen next?
• Receiving state is a state where all its outgoing transition are all receiving transition. It can not move without msg in its incoming channel.
• Both machines are at receiving states and channels are empty. This is called deadlock. The network can not progress further.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
Unspecified Reception Error
• There is msg B in C2 but sender does not have a receiving transition with msg B.
• This is called unspecified reception. The network can not progress further.
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
B
Non-executable States and Transitions
• State 3 of Receiver will never be executed or become the current state. It is called non-executable state.
• Transitions (2,3,+B) and (3,1,-C) will never be executed. They are called non-executable transitions.
• How does one know they will never be executed?
C1
C2
+A
Sender2
1
-R +R-A
Receiver2
1
B 3
-C
+B
Reachability Analysis
C1
C2
-R+A
Sender2
1
+R-A
Receiver2
1
11
EE
Sender’sState
Channel C1’s content
Channel C2’s content
Receiver’sState
global state/reachable state
CFSM CFSM
21
RE
-R
-B 21
BE
gs0
gsnGlobal State ID
gs2
-B
UnspecifiedReception
Receiver donot know
how to receive B
E: channel empty
22
EE
+R
21
EA
-A
+A
gs1
gs3
gs4
Reachability Graph
A process of generating all possible reachable states from the initial global state
Reachability Analysis
• Starting from initial global state, where channels are empty and machines at their initial state, explore all possible reachable state by firing the possible transitions (and generating global states) from any given reachable state.
• All deadlock and unspecified reception errors will be captured/marked as individual global state.
• By examining the number of msgs in the channels we can design the buffer size for the protocol.
• Can detect non-executable states and transitions by marking those state are touched and transition that are fired during the reachability analysis.
Reability analysis
Reachability Analysis Exercise
a) Perform the reachability analysis on the Network (M, N).b) What sizes of buffers are needed for the two FIFO
channels?c) Are there non-executable states or transitions?
2 3
1
M
-R+A+R -A
2 3
1
N
-R+A+R -A
Solution• One unspecified reception.• Both channels need
buffer size of 2.(see gs8 and gs9)
• No non-executablestates and transitions.
• Since both machinessend same typesof msgs. We useMachine: to specifywhich machine firesthe transition.
1 EE 1
GS 0
2 RE 1
GS 11 ER 2
GS 2M:-R N:-R
2 EE 3
GS 3
N:+R
2 RR 2
GS 43 EE 2
GS 5
N:-R M:-R M:+R
2 EA 1
GS 61 AE 2
GS 7
N:-A
M:+A
2 EAR 2
GS 8
N:-R
M:+A
2 ARE 2
GS 9
M:-A
M:-R N:+A
N:+A
unspecifiedreception
Figure 1. Reachability graph.
Pros and Cons of Reachability AnalysisAdvantages:
* Easily automated.
* Many logical errors can be detected by only examining individual global states in the reachability graph.
Disadvantages:
* State space explosion problem.(The state space of a system can be very large, or even infinite. Thus, at the outset, it is impossible to explore the entire state space with limited resources of time and memory. )
* Does not work on unbounded protocols.
* Many relationships among the protocol state variables, expressing the desirable logical correctness properties of the protocol, are not apparent from simply traversing the reachability graph.
