Model Checking MANETs with Arbitrary Mobility
Abstract.
Modeling arbitrary connectivity changes of mobile ad hoc networks (MANETs) makes application of automated formal verification challenging. We introduced constrained labeled transition systems (CLTSs) as a semantic model to represent mobility. To model check MANET protocol with respect to the underlying topology and connectivity changes, we here introduce a branchingtime temporal logic interpreted over CLTSs. The temporal operators, from Action Computation Tree Logic with an unless operator, are parameterized by multihop constraints over topologies, to express conditions on successful scenarios of a MANET protocol. We moreover provide a bisimilarity relation with the same distinguishing power for CLTSs as our logical framework.
1 Introduction
In mobile ad hoc networks (MANETs), nodes communicate along multihop paths using wireless transceivers. Wireless communication is restricted; only nodes located in the range of a transmitter receive data. Due to e.g. noise in the environment, interferences, and temporary communication link errors, wireless communication is unreliable, which together with mobility of nodes complicates the design of MANET protocols. Formal methods provide valuable tools to design, evaluate and verify such protocols.
We introduced Restricted Broadcast Process Theory (RBPT) [9] to specify and verify MANETs, taking into account mobility. RBPT specifies a MANET by composing nodes using a restricted local broadcast operator. A strong point of RBPT is that the underlying topology is not specified in the syntax, which would make it hard to set up the initial topology for each scenario in a verification. In similar approaches, the mobility is modeled as arbitrary manipulation of the underlying topology (given as part of the semantic state), which may make the model infinite and insusceptible to automated verification techniques. Instead in the semantic model of RBPT, a constraint labeled transition system (CLTS) [10], transitions are enriched with socalled network constraints, to restrict the possible topologies. This symbolic representation of network topologies in the semantics is more compact and allows automated verification techniques to investigate families of properties on a unified model.
Properties in MANETs tend to be weaker than in wired networks, due to the topologydependent behavior of communication, and consequently the need for multihop communication between nodes. For instance, an important property in routing or information dissemination protocols is packet delivery: If there exists an endtoend route between two nodes \(A\) and \(B\) for a long enough period of time, then packets sent by \(A\) will be received by \(B\) [7]. To reason about properties that require such topology conditions, we introduce a temporal logic CACTL based on ACTLW [16], which consists of Action CTL [3] with an until operator. Our approach supports flexibility in verifying topologydependent behavior (without changing the model), and restricting the generality of mobility as opposed to existing approaches. CACTL is interpreted over CLTSs. Path operators are parameterized with multihop constraints over the underlying topologies. We present a model checking algorithm for CACTL; a model checker for CACTL is being implemented, using the rewrite logic Maude. This provides a framework, supporting both equational reasoning [9] and model checking of MANET protocols, to verify topologydependent properties like “existence of a route”.
We moreover introduce a novel notion of branching network bisimilarity, based on branching bisimilarity [24], that induces the same identification of CLTSs as CACTL. This relation is finer than the one introduced in [10], due to reliability of communication: A receiving node is not equivalent to a deadlocked node anymore, since in parallel with a sending node, an unsuccessful communication cannot be matched to a communication with no enabled receiver (which is the case in the lossy framework).
2 Related Work
MANET protocols have been studied either using existing formalisms such as SPIN [1, 5, 26] and UPPAAL [8, 15, 26, 27], or introducing specific frameworks mainly with an algebraic approach [7, 13, 14, 17, 18, 20, 21, 23]. Important modeling challenges in MANETs are local broadcast, underlying topology and mobility. The modeling approach using existing formalisms can be summarized as follows: The underlying topology is modeled by a twodimensional array of Booleans, mobility by explicit manipulation of this matrix, and local broadcast by unicasting to all nodes with whom the sending node is presently connected, using the connectivity matrix. The verification approach tends to be based on model checking techniques restricted to a prespecified mobility scenario. Lack of support for compositional modeling and arbitrary topology changes has motivated new approaches with a primitive for local broadcast and support of arbitrary mobility. These approaches are CBS#, bKlaim, CWS, CMAN, CMN, \(\omega \)calculus, RBPT, CSDT, and AWN [7, 9, 13, 14, 17, 18, 20, 21, 23]. The common point among them (except RBPT) is implicit manipulation of the underlying topology in the semantics to model arbitrary connectivity changes and mobility. The analysis techniques supported by these frameworks, except bKlaim and AWN, are based on a behavioral congruence relation. In [10] we provided an axiomatization to derive that a specification of a MANET protocol is observably equal to a specification of its desired external behavior. Equational reasoning (applied at the syntactic or the semantic level) requires either abstraction from the actual specification of the MANET protocol, or knowledge about the overall behavior of the MANET beforehand. The model checking approach is useful to investigate specific properties of MANET protocols with less effort and knowledge. The mix of broadcast behavior and mobility leads to statespace explosion, hampering the application of automated verification techniques like model checking. In bKlaim [21], the semantic model is abstracted to a finite labeled transition system such that the mobility information is preserved; a variant of ACTL is introduced to determine which properties hold if movement of nodes is restricted. To this aim, ACTL operators are parameterized by a set of possible network configurations (topology). However, topologydependent behavior cannot be checked. AWN [7] verifies topologydependent behavior properties using CTL [2], by treating a transition label carrying (dis)connectivity information as a predicate of its succeeding state [7] and defining predicates over the topology as part of the syntax. This approach can be extended to algebras, e.g. CMAN and \(\omega \)calculus, with (dis)connectivity information on transition labels. However, this approach needs auxiliary strategies to extract predicates from the states and transitions, to restrict connectivity changes during model checking and thus limit the state space. These challenges are tackled with the help of the model checker UPPAAL, by transforming AWN specifications to automata and exploiting an auxiliary automaton which statically restricts connectivity changes [8], similar to [15].
3 Background
Communication in wireless networks tends to be based on local broadcast: Only nodes that are located in the transmission area of a sender can receive. A node \(B\) is directly connected to a node \(A\), if \(B\) is located within the transmission range of \(A\). This asymmetric connectivity relation between nodes introduces a topology concept. A topology is a function \(\gamma :{ Loc}\rightarrow {I\!\!P}({ Loc}\)) where \({ Loc}\) denotes a finite set of (hardware) addresses \(A,B,C\). We extend \({ Loc}\) with the unknown address \(?\) to model open communications, which is helpful in giving semantics to MANETs in a compositional way.
Constrained labeled transition systems (CLTSs) [10] provide a semantic model for the operational behavior of MANETs. A transition label is a pair of an action and a network constraint, restricting the range of possible underlying topologies. A network constraint \(\mathcal C \) is a set of connectivity pairs \(\rightsquigarrow : { Loc}\times { Loc}\), where only the first address can be \(?\). In this setting, nonexistence of connectivity information between two addresses in a network constraint can imply three consequences; we do not have any information about the link (this is helpful when the link has no effect on the evolution of a network), the link was disconnected, or the link exists, but due to unreliable communication, the communication was unsuccessful. To distinguish these cases from each other, we extend the network constraints of CLTSs with a set of disconnectivity pairs \(\mathrel {\not \rightsquigarrow }: { Loc}\times { Loc}\); while \(B\rightsquigarrow A\) denotes that \(A\) is connected to \(B\) directly and consequently \(A\) can receive data sent by \(B\), \(B\mathrel {\not \rightsquigarrow }A\) denotes that \(A\) is not connected to \(B\) directly and consequently cannot receive any message from \(B\). In this setting, nonexistence of connectivity information between two addresses in a network constraint means a lack of information. We write \(\{B\rightsquigarrow A,C~~B\mathrel {\not \rightsquigarrow }D,E\}\) instead of \(\{B\rightsquigarrow A,B\rightsquigarrow C,B\mathrel {\not \rightsquigarrow }D, B\mathrel {\not \rightsquigarrow }E\}\).
A network constraint \(\mathcal C \) is said to be wellformed if \(\forall \ell \rightsquigarrow \ell '\in \mathcal C \,(\ell '\ne ?\wedge \ell \mathrel {\not \rightsquigarrow }\ell '\mathrel {\not \in }\mathcal C )\) and \(\forall \ell \mathrel {\not \rightsquigarrow }\ell '\in \mathcal C \,(\ell '\ne ?\wedge \ell \rightsquigarrow \ell '\mathrel {\not \in }\mathcal C )\). Let \(\mathbb C \) denote the set of wellformed network constraints that can be defined over network addresses in \({ Loc}\). Each network constraint \(\mathcal C \) represents the set of network topologies that satisfy the (dis)connectivity pairs in \(\mathcal C \), i.e., \(\{ \gamma \mid \mathcal C \subseteq \mathcal C _{\Gamma }(\gamma ) \}\), where \(\mathcal C _{\Gamma }(\gamma )\) extracts all onehop (dis)connectivity information from \(\gamma \). So the empty network constraint \(\{\}\) denotes all possible topologies over \({ Loc}\). Let \({ Act}_\tau \) be the set of actions (including the silent action \(\tau \)), ranged over by \(\eta \).
4 Constrained Action Computation Tree Logic
Properties of MANETs tend to be weaker than of wired networks, due to topologydependent behavior of communication, and consequently the requirement of existence of a multihop communication path between nodes. CLTSs provide a suitable platform to verify topologydependent properties, using the (dis)connectivity information encoded into the transition labels: While transitions are traversed to investigate a behavioral property, (dis)connectivity information is collected to verify the topology conditions on which the behavior depends. To this aim, we introduce a temporal logic based on Action CTL (ACTL) [3] which includes the until and next operators from CTL [2], parameterized with a set of actions. Recently a more expressive variant of ACTL called ACTLW [16] was introduced, in which the next is replaced by an unless operator.
4.1 Concepts
Since the behavior of MANET protocols depends on the underlying topology of the network, many properties depend on constraints on this topology. For example, to examine whether a routing protocol can find a route from node \(A\) to node \(B\), the existence of a multihop path from \(A\) to \(B\) is a precondition. Viewing a network topology as a directed graph, the simplest form of constraint consists of the (non)existence of multihop relations between nodes.
As explained in Section 3, states in a CLTS do not hold information about the underlying topology. E.g., from the transition sequence Open image in new window Open image in new window we can infer that at the moment we reach \(t_1\), \(B\) was connected to \(A\), and at the moment we reach \(t_2\), \(C\) was connected to \(B\). So we can conclude that to reach \(t_2\) via this path, two links must exist (not essentially at the same time). That is, a multihop communication link from \(A\) to \(C\), denoted by \(A\dashrightarrow C\), must exist to reach \(t_2\). In general, to examine a property preconditioned by a multihop constraint over the topology, we look for a path in the CLTS along which the multihop relations are inferred.
Let \(T=\langle S,\Lambda ,\rightarrow ,s_0\rangle \) be a CLTS. A path \(\sigma \) of \(T\) is a sequence of transitions \(t_0 (\mathcal C _0,\eta _0) t_1 (\mathcal C _1,\eta _1) t_2 \ldots \) where \(\forall i\ge 0\,((t_{i1} (\mathcal C _{i},\eta _i) t_i)\in \,\rightarrow )\). A path is said to be maximal if it either is infinite or ends in a deadlock state.
A path \(t_0 (\mathcal C _0,\eta _0) t_1 (\mathcal C _1,\eta _1) t_2 \ldots \) is called \(\mathcal C \)path if \(\mathcal C _{i}\) conforms to \(\mathcal C \) for all \(i\ge 0\).
4.2 CACTL Syntax
The path formula based on the unless (weak until) operator \(\phi {~}_{\{\chi \}}\mathbf W {~}^{\mu } {\!}_{\{\chi '\}}\phi '\) specifies a path along which states satisfying property \(\phi \) perform actions from \(\chi \) at least as long as either \(\mu \) is never satisfied or no state satisfying \(\phi '\) is visited by an actions from \(\chi '\). We note that \(\mathbf {EW} \) cannot readily be defined in terms of \(\mathbf {AU} \) as opposed to CTL, due to actions of \(\chi \) and \(\chi '\) that should be visited to reach states satisfying \(\phi \) and \(\phi '\).
4.3 CACTL Semantics
4.4 CACTL Model Checking
We explain the idea of procedure CheckEU for the \(\mathbf {EU} \) operator; other CACTL operators can be dealt with in a similar way. The pseudo code of this procedure is given in Appendix A. For simplicity we assume that CLTSs are deadlockfree. We extend the application of \(\oplus \) to topology obligations: \(\mathcal C \oplus O=\{\langle \mu , \mathcal C \oplus \mathcal C '\rangle \mid \langle \mu , \mathcal C '\rangle \in O\}\). Two possible cases should be examined. In the first case, state \(s\) satisfies formula \(\mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi ')\) if there exists a path from \(s\) consisting of states satisfying property \(\phi \) under \(\zeta \) and actions from \(\chi \), until a state satisfying \(\phi '\) under \(\zeta \oplus \xi \) is reached after an action from \(\chi '\) and \(\xi \) induces \(\mu \), where \(\xi \) is the accumulated (dis)connectivity information along this path. To check this case, we move backward starting from the states where \(\phi '\) holds under \(\zeta \), first over a transition with an action from \(\chi '\), and then over transitions with an action from \(\chi \), passing over states where \(\phi \) holds under \(\zeta \). We record the status of links encountered during backward exploration of executions (note that these links conform to \(\zeta \)). To ensure conformability of the links recorded for \(\phi '\) to \(\zeta \oplus \xi \), we incrementally check conformability of these links to the partial of \(\xi \) being formed in the backward exploration. Since the yet unknown \(\xi \) should induce \(\mu \), we initially include topology obligation \(\langle \mu ,\{\}\rangle \) in the state label; its network constraint is incrementally updated while moving backward. Furthermore, we record the topology obligation generated during exploration of \(\phi \) and \(\phi '\). To ensure \(\phi '\) holds under \(\zeta \oplus \xi \), we incrementally update its recorded topology obligation while moving backward.
Let \(\Omega \) and \(\Omega '\) contain the links that occurred over executions during exploration of \(\phi \) and \(\phi '\), and \(O\) and \(O'\) the topology obligations generated during exploration of \(\phi \) and \(\phi '\) (under \(\zeta \)), respectively. Since first \(\phi \) and only after that \(\phi '\) needs to hold, these sets can be kept separate. The sets \(\Omega \) and \(\Omega '\) may contain conflicting conditions, and even if \(\Omega '\) conforms to the partial of \(\xi \), \(\Omega \cup \Omega '\) may not. To check conformability of \(\Omega '\) to and update \(O'\) with partial \(\xi \), we postpone mixing these sets until the end, and exploit a senary labeling \(\langle \mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi '),\Omega ,\Omega ',\mathcal C ,O,O'\rangle \). Let \(\mathcal C \) be the accumulated value of network constraints over the traversed execution path. By moving backward over a \((\mathcal C ,\eta )\)transition (where \(\mathcal C \) conforms to \(\zeta \) and \(\eta \) satisfies \(\chi '\)) from the state labeled with \(\langle \phi ',\Omega ',O'\rangle \) to the state labeled with \(\langle \phi ,\Omega ,O\rangle \), we add the label \(\langle \mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi '),\Omega \cup \mathcal C ,\Omega ',\mathcal C ,O,\{\langle \mu ,\mathcal C \rangle \}\cup \mathcal C \oplus O'\rangle \) to states labeled with \(\langle \phi ,\omega ,O\rangle \), if \(\Omega '\) conforms to \(\mathcal C \); it should be noted that \(\mathcal C \) is added to \(\Omega \) (and \(\Omega \) conforms to \(\zeta \)), \(O'\) is updated with \(\mathcal C \), and the obligation \(\{\langle \mu ,\mathcal C \rangle \}\) (\(\mathcal C \oplus \{\langle \mu ,\{\}\rangle \}\)) is generated during model checking of \(\mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi ')\). At the end of model checking, the senary labels \(\langle \mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi '),\Omega ,\Omega ',\mathcal C ,O,O'\rangle \) are replaced by \(\langle \mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi '),\Omega \cup \Omega ',O\cup O'\rangle \).
Labels of states in Fig. 4 while checking formula \(\varphi _2\equiv \mathbf E (\phi {~}_{\{a\vee \tau \}}\mathbf U {~}^{A\dashrightarrow B} {\!}_{\{b\}}\varphi _1)\), where \(\varphi _1\equiv \mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{A\dashrightarrow C} {\!}_{\{c\}}\phi )\) and \(\phi \equiv { true}\)
Steps  Actions 

1  \(\langle { true},\emptyset ,\emptyset \rangle \) are added to \(\mathcal M _{0,1_1,1_2,27}\) 
2  \(L_1\equiv \langle \varphi _1,\emptyset ,\emptyset ,\{\},\emptyset ,\{\langle A\rightsquigarrow C,\{\} \rangle \}\rangle \) is added to \(\mathcal M _{6}\) 
3  \(L_2\equiv \langle \varphi _1,\{D\rightsquigarrow C\} ,\emptyset ,\{D\rightsquigarrow C\},\emptyset ,\{\langle A\dashrightarrow C,\{D\rightsquigarrow C\} \rangle \}\rangle \) is added to \(\mathcal M _{5}\) 
4  \(L_3\equiv \langle \varphi _1,\{B\rightsquigarrow C,D\rightsquigarrow C\} ,\emptyset ,\{D\rightsquigarrow C,B\rightsquigarrow C\},\emptyset ,\{\langle A\dashrightarrow C,\{D\rightsquigarrow C,B\rightsquigarrow C\} \rangle \}\rangle \) is added to \(\mathcal M _{4}\) 
5  \(L_1\) is replaced by \(\langle \varphi _1,\emptyset ,\{\langle A\dashrightarrow C,\{\} \rangle \}\rangle \) in \(\mathcal M _6\) 
6  \(L_2\) is replaced by \(\langle \varphi _1,\{D\rightsquigarrow C\} ,\{\langle A\dashrightarrow C,\{D\rightsquigarrow C\} \rangle \}\rangle \) in \(\mathcal M _5\) 
7  \(L_3\) is replaced by \(\langle \varphi _1,\{B\rightsquigarrow C,D\rightsquigarrow C\} ,\{\langle A\dashrightarrow C,\{B\rightsquigarrow C,D\rightsquigarrow C\} \rangle \}\rangle \) in \(\mathcal M _4\) 
8  \(L_4\equiv \langle \varphi _2,\emptyset ,\{B\rightsquigarrow C,D\rightsquigarrow C\} ,\{\},\emptyset ,\{\langle A\dashrightarrow C,\{B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\langle A\dashrightarrow B, \{\}\rangle \}\rangle \) is added to \(\mathcal M _{3}\) 
9  \(L_5\equiv \langle \varphi _2,\{A\rightsquigarrow D\},\{B\rightsquigarrow C,D\rightsquigarrow C\} ,\{A\rightsquigarrow D\},\emptyset ,\{\langle A\dashrightarrow C,\{A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\) 
\(\langle A\dashrightarrow B, \{A\rightsquigarrow D\}\rangle \}\rangle \) is added to \(\mathcal M _{2}\)  
10  \(L_6\equiv \langle \varphi _2,\{D\rightsquigarrow B,A\rightsquigarrow D\},\{B\rightsquigarrow C,D\rightsquigarrow C\} ,\{D\rightsquigarrow B,A\rightsquigarrow D\},\emptyset ,\) 
\(\{\langle A\dashrightarrow C,\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\langle A\dashrightarrow B, \{D\rightsquigarrow B,A\rightsquigarrow D\}\rangle \}\rangle \)  
is added to \(\mathcal M _{1_1}\) and \(\mathcal M _{0}\)  
11  \(L_4\) is replaced by \(\langle \varphi _2,\{B\rightsquigarrow C,D\rightsquigarrow C\}, \{\langle A\dashrightarrow C,\{B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\langle A\dashrightarrow B, \{\}\rangle \}\rangle \) in \(\mathcal M _3\) 
12  \(L_5\) is replaced by \(\langle \varphi _2,\{A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\}, \{\langle A\dashrightarrow C,\{A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\) 
\(\langle A\dashrightarrow B, \{A\rightsquigarrow D\}\rangle \}\rangle \) in \(\mathcal M _2\)  
13  \(L_6\) is replaced by \(\langle \varphi _2,\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\},\) 
\(\{\langle A\dashrightarrow C,\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\langle A\dashrightarrow B, \{D\rightsquigarrow B,A\rightsquigarrow D\}\rangle \}\rangle \) in \(\mathcal M _1\) and \(\mathcal M _0\) 
As an example, we verify \(\mathbf E ({ true}{~}_{\{a\vee \tau \}}\mathbf U {~}^{A\dashrightarrow B} {\!}_{\{b\}}\mathbf E ({ true}{~}_{\{a\vee \tau \}}\mathbf U {~}^{A\dashrightarrow C} {\!}_{\{c\}}{ true}))\) under \(\{\}\) over the CLTS given in Fig. 4. States are initially labeled by \(\langle { true},\emptyset ,\emptyset \rangle \). Table 1 includes the labels given to the states in each step; first we label states \(\mathcal M _7\) to \(\mathcal M _4\) for the inner until operator, and then we label states \(\mathcal M _4\) to \(\mathcal M _0\) for the outer until operator. State \(\mathcal M _{1_2}\) is only labeled by \(\langle { true},\emptyset ,\emptyset \rangle \) and cannot be labeled further, because the set of links encountered during exploration of the inner until formula, i.e. \(\{B\rightsquigarrow C,D\rightsquigarrow C\}\), does not conform to \(\{D\rightsquigarrow B,D\mathrel {\not \rightsquigarrow }C\}\). State \(\mathcal M _0\) includes the label \(\langle \varphi _2,\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\},\{\langle A\dashrightarrow C,\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\} \rangle ,\langle A\dashrightarrow B, \{D\rightsquigarrow B,A\rightsquigarrow D\}\rangle \}\rangle \), so it satisfies \(\varphi _2\) (under \(\{\}\)), since \(\{D\rightsquigarrow B,A\rightsquigarrow D,B\rightsquigarrow C,D\rightsquigarrow C\}\models A\dashrightarrow C\) and \(\{D\rightsquigarrow B,A\rightsquigarrow D\}\models A\dashrightarrow B\). The topology formula \(A\dashrightarrow C\) in the inner until formula is satisfied after the network constraints \(A\rightsquigarrow D\) and \(D\rightsquigarrow B\) update their corresponding topology obligation while moving backward to model check the outer formula.
In the second case, \(s\) satisfies \(\mathbf E (\phi {~}_{\{\chi \}}\mathbf U {~}^{\mu } {\!}_{\{\chi '\}}\phi ')\) if there exists a path from \(s\) along which the states satisfy \(\phi \), the actions are from \(\chi \), and the accumulated (dis)connectivity information never induces \(\mu \) permanently (see Fig. 5 for two simple examples). To check the occurrence of this case, we decompose the CLTS into nontrivial strongly connected components (SCCs), meaning that they contain at least one edge.
5 Protocol Analysis with CACTL
To illustrate the expressiveness of CACTL in the analysis of MANETs, we specify properties for two important classes of protocols, namely routing and leader election.
6 Branching Network Bisimilarity
We define a novel notion of branching network bisimilarity that induces the same identification of CLTSs as our logical framework.
Definition 1.
Let \(\langle S,\Lambda ,\rightarrow ,s_0\rangle \) be a CLTS. States \(r,s\in S\) are logically equivalent, denoted by \(r\sim _{L}s\), iff \(\forall \zeta \in \mathbb C ~\forall \varphi \in { CACTL}~(r\models _\zeta \varphi \Leftrightarrow s\models _\zeta \varphi )\).
Intuitively, equivalent states in a CLTS exhibit the same behavior for any topology. This behavior includes communication and internal actions. Communication actions carry a message and the address of the sender, which can be abstracted into the unknown address \(?\). Two equivalent states must match on every internal action, receive action, and send action with a known address. A send action with unknown address can be mimicked by a send action with either a known or unknown address. Let \(\Longrightarrow \) denote the reflexivetransitive closure of \(\tau \)transitions, over all possible topologies.
Definition 2.

either \((\mathcal C ,\eta )\) is \((\{\},\tau )\), and \(t_1'\mathcal R t_2\); or

there are \(t_2'\) and \(t_2''\) such that Open image in new window , where \(t_1\mathcal R t_2'\) and \(t_1'\mathcal R t_2''\); or

\(\eta \equiv { nsnd}(\mathfrak m ,?)\), and there are \(t_2'\), \(t_2''\) and \(\ell \) such that Open image in new window , where \(t_1\mathcal R t_2'\) and \(t_1'\mathcal R t_2''\).
Theorem 1.
\(\simeq _{b}\) is an equivalence relation.
This theorem can be proved in a similar fashion as for branching computed network bisimilarity in [9]. As said, branching network bisimilarity and the equivalence relation induced by CACTL coincide. This can be proved for CLTSs with socalled boundednondeterminism following the approach of [4]. The result can be lifted to general CLTSs in the same vein as [19], by resorting to infinitary logics (see [11] for the proof).
Theorem 2.
Let \(\langle S,\Lambda ,\rightarrow ,s_0\rangle \) be a CLTS. For any \(r,s\in S\), \(r\simeq _{b}s\) iff \(r\sim _L s\).
7 Conclusion and Future Work
We introduced the branchingtime temporal logic CACTL, interpreted over CLTSs, to reason about topologydependent behavior of MANET protocols. We can investigate scenarios like after a route found and after two disconnected components merged with the help of multihop constraints over topologies, which are specified as a part of path operators in our logic. Advantages of our approach are flexibility in verifying topologydependent behavior (without changing the model), and restricting the generality of mobility. By nesting until operators, a specific path can be found with the help of topology constraints (without a need to specify how a topology constraint should be inferred), and then fixed for further exploration. The (dis)connectivity information in CLTS transitions makes it possible to restrict the generality of mobility as desired. By contrast, in approaches like [7], the inferences leading to the establishment of topology constraints should be embedded in the specification. Existing approaches to model mobility either are insusceptible to model checking [7, 13, 23], or require separate modeling of mobility [8]. The logic in [21] does not support verification of topologydependent behavior.
A model checker for CACTL is being implemented, using the rewrite logic Maude. We also intend to verify realworld MANET protocols.
Supplementary material
References
 Bhargavan, K., Obradovid, D., Gunter, C.A.: Formal verification of standards for distance vector routing protocols. Journal of the ACM 49(4), 538–576 (2002)MathSciNetCrossRefGoogle Scholar
 Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branchingtime temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982)Google Scholar
 De Nicola, R., Vaandrager, F.: Action versus state based logics for transition systems. In: Guessarian, I. (ed.) LITP 1990. LNCS, vol. 469, pp. 407–419. Springer, Heidelberg (1990)Google Scholar
 De Nicola, R., Vaandrager, F.: Three logics for branching bisimulation. Journal of the ACM 42(2), 458–487 (1995)zbMATHCrossRefGoogle Scholar
 De Renesse, R., Aghvami, A.H.: Formal verification of adhoc routing protocols using SPIN model checker. In: MELECON, pp. 1177–1182. IEEE (2004)Google Scholar
 Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press (2001)Google Scholar
 Fehnker, A., van Glabbeek, R., Höfner, P., McIver, A., Portmann, M., Tan, W.L.: A process algebra for wireless mesh networks. In: Seidl, H. (ed.) ESOP 2012. LNCS, vol. 7211, pp. 295–315. Springer, Heidelberg (2012)Google Scholar
 Fehnker, A., van Glabbeek, R., Höfner, P., McIver, A., Portmann, M., Tan, W.L.: Automated analysis of AODV using Uppaal. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 173–187. Springer, Heidelberg (2012)Google Scholar
 Ghassemi, F., Fokkink, W., Movaghar, A.: Equational reasoning on mobile ad hoc networks. Fundamenta Informaticae 103, 1–41 (2010)MathSciNetGoogle Scholar
 Ghassemi, F., Fokkink, W., Movaghar, A.: Verification of mobile ad hoc networks: An algebraic approach. Theoretical Computer Science 412(28), 3262–3282 (2011)MathSciNetzbMATHCrossRefGoogle Scholar
 Ghassemi, F., Ahmadi, S., Fokkink, W., Movaghar, A.: Model Checking MANETs with Arbitrary Mobility. In: Arbab, F., Sirjani, M. (eds.) FSEN 2013. LNCS, vol. 8161, pp. 214–228. Springer, Heidelberg (2013)Google Scholar
 Godskesen, J.C.: Observables for mobile and wireless broadcasting systems. In: Clarke, D., Agha, G. (eds.) COORDINATION 2010. LNCS, vol. 6116, pp. 1–15. Springer, Heidelberg (2010)Google Scholar
 Godskesen, J.C.: A calculus for mobile ad hoc networks. In: Murphy, A.L., Vitek, J. (eds.) COORDINATION 2007. LNCS, vol. 4467, pp. 132–150. Springer, Heidelberg (2007)Google Scholar
 Kouzapas, D., Philippou, A.: A process calculus for dynamic networks. In: Bruni, R., Dingel, J. (eds.) FMOODS/FORTE 2011. LNCS, vol. 6722, pp. 213–227. Springer, Heidelberg (2011)Google Scholar
 McIver, A., Fehnker, A.: Formal Techniques for Analysis of Wireless Network. In: ISoLA. LNCS vol. 6722, pp. 263–270. IEEE (2006)Google Scholar
 Meolic, R., Kapus, T., Brezocnik, Z.: ACTLW  An actionbased computation tree logic with unless operator. Information Sciences 178(6), 1542–1557 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
 Merro, M.: An observational theory for mobile ad hoc networks. In: MFPS XXIII. ENTCS, vol. 173, pp. 275–293. Elsevier (2007)Google Scholar
 Mezzetti, N., Sangiorgi, D.: Towards a calculus for wireless systems. In: MFPS XXII. ENTCS, vol. 158, pp. 331–353. Elsevier (2006)Google Scholar
 Milner, R.: Communication and Concurrency. PrenticeHall (1989)Google Scholar
 Nanz, S., Hankin, C.: A framework for security analysis of mobile wireless networks. Theoretical Computer Science 367(1), 203–227 (2006)MathSciNetzbMATHCrossRefGoogle Scholar
 Nanz, S., Nielson, F., Nielson, H.: Static analysis of topologydependent broadcast networks. Information and Computation 208(2), 117–139 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
 Perkins, C.E., BeldingRoyer, E.M.: Adhoc ondemand distance vector routing. In: WMCSA, pp. 90–100. IEEE (1999)Google Scholar
 Singh, A., Ramakrishnan, C.R., Smolka, S.A.: A process calculus for mobile ad hoc networks. In: Lea, D., Zavattaro, G. (eds.) COORDINATION 2008. LNCS, vol. 5052, pp. 296–314. Springer, Heidelberg (2008)Google Scholar
 van Glabbeek, R., Weijland, W.P.: Branching time and abstraction in bisimulation semantics. Journal of the ACM 43(3), 555–600 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
 Vasudevan, S., Kurose, J., Towsley, D.: Design and analysis of a leader election algorithm for mobile ad hoc networks. In: ICNP, pp. 350–360. IEEE Computer Society (2004)Google Scholar
 Wibling, O., Parrow, J., Pears, A.: Automatized verification of ad hoc routing protocols. In: de FrutosEscrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 343–358. Springer, Heidelberg (2004)Google Scholar
 Wibling, O., Parrow, J., Pears, A.: Ad hoc routing protocol verification through broadcast abstraction. In: Wang, F. (ed.) FORTE 2005. LNCS, vol. 3731, pp. 128–142. Springer, Heidelberg (2005)Google Scholar