Skip to main content
SpringerLink
Log in

Specification and analysis of the AER/NCA active network protocol suite in Real-Time Maude

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

This paper describes the application of the Real-Time Maude tool and the Maude formal methodology to the specification and analysis of the AER/NCA suite of active network multicast protocol components. Because of the time-sensitive and resource-sensitive behavior, the presence of probabilistic algorithms, and the composability of its components, AER/NCA poses challenging new problems for its formal specification and analysis. Real-Time Maude is a natural extension of the Maude rewriting logic language and tool for the specification and analysis of real-time object-based distributed systems. It supports a wide spectrum of formal methods, including: executable specification; symbolic simulation; breadth-first search for failures of safety properties in infinite-state systems; and linear temporal logic model checking of time-bounded temporal logic formulas. These methods complement those offered by network simulators on the one hand, and timed-automaton-based tools and general-purpose theorem provers on the other. Our experience shows that Real-Time Maude is well-suited to meet the AER/NCA modeling challenges, and that its methods have proved effective in uncovering subtle and important errors in the informal use case specification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. It is however possible to use formal methods and tools to support the passage from informal to formal specifications: a fairly large body of work on the formal underpinnings of UML, as well as work on passing from scenarios to system specifications and code [11] are good examples of work in this direction. But it does not follow from this that a full formalization of the entire process is possible: just the simple fact that ethical decisions are often involved in the choice of the relevant properties, particularly for safety-critical systems, seems to us a clear indication that it isn’t.

  2. Active networks allow users to inject programs into the nodes of the network.

  3. Rewrites cannot take place in a frozen argument position of a function symbol, so that a term \(f(t_1, \ldots, t_i, \ldots, t_n)\) will not rewrite to \(f(t_1, \ldots, u_i, \ldots, t_n)\) when t i rewrites to u i if \(i\in \phi(f)\).

  4. In general, the condition of such rules may not only contain rewrites \(u_i\longrightarrow v_i\) and equations \(w_j=w'_j\), but also memberships \(t_k:s_k\); however, the specifications in this paper do not use this extra generality.

  5. Operationally, a term is reduced to its E-normal form modulo A before any rewrite rule is applied in Maude. Under the coherence assumption [33] this is a complete strategy to achieve the effect of rewriting in \(E\cup A\)-equivalence classes.

  6. In Real-Time Maude, being an extension of Full Maude, module declarations and execution commands must be enclosed by a pair of parentheses.

  7. If one or more of an object's attributes are of sort Object or Configuration, an object may contain other objects, or even entire configurations, as parts of its state, giving rise to “Russian dolls” distributed object architectures [17].

  8. The attributes and rules of a class cannot be redefined by its subclasses, but subclasses may introduce additional attributes and rules.

  9. For the purpose of conveniently defining initial states, Real-Time Maude allows the user to introduce operators of sort GlobalSystem, such as RTTstate2 in Section 4.11.2. Each ground term of sort GlobalSystem must reduce to a term of the form { t } using the equations in the specification.

  10. Since the temporal logic model checker uses depth-first search techniques, there are cases in which the check command terminates even without a time limit, and where the temporal logic model checker would loop. One such example is shown in Section 4.13.

  11. The operators delta and mte should be declared to be frozen operators (see Section 3.1) in their first argument position to avoid ill-timed rewrites or rewrites in the time domain [24, 26].

  12. Recall from Section 3.1 that the attributes assoc, comm, and id: none of the operator \(\mathtt{\_\:\_}\) state that \(\mathtt{\_\:\_}\) is associative, commutative, and has identity element none. That is, together with the subsort Oid < OidSet, this operator defines multisets of Oid elements, where the order of the elements does not matter.

  13. The list concatenation operator \(\mathtt{\_+\_}\) is declared to be associative (assoc), so that parentheses are not needed and rules can match such lists with associative pattern matching.

  14. Maude supports both “Peano” and ordinary decimal representation of natural numbers, so that s N (in rule outOfDownLink) is an equivalent representation of N + 1. Furthermore, s N is an irreducible term which can be used as a pattern in the left-hand side of a rule.

  15. Since the total delay of a packet entering the link is larger than the delay of the packets already in the link, the first (leftmost) packet will have the smallest delay, and the last packet will have the largest delay.

  16. The output of Real-Time Maude executions will be manually tabulated for readability purposes, and parts of the output omitted in the exposition will be replaced by ‘...'

  17. Although the lpe estimates are then considered less reliable, this avoids having long initial computation segments that could cause combinatorial explosion when performing formal analysis. Furthermore, the design errors we found did not depend on the specific value chosen for the size bound.

  18. Since there is no repair service intervention for the NAMPackets, we have abstracted from their transmission times. The situation is even worse when there is a non-zero time interval without a nominee receiver. Indeed, even if the new nominee is aware of it being the new nominee before the old nominee becomes aware of the change, the protocol may still miss to acknowledge a data packet which arrives at the new nominee much earlier than at the old nominee.

  19. The sender sends an SPM packet when the protocol starts, explaining why the link becomes full after 9 data packets.

References

  1. Agha G, Gunter C, Greenwald M, Khanna S, Meseguer J, Sen K, Thati P (2005) Formal modeling and analysis of DoS using probabilistic rewrite theories. In: Workshop on Foundations of Computer Security (FCS’05)

  2. Agha G, Meseguer J, Sen K (2005) PMaude: Rewrite-based specification language for probabilistic object systems. In: 3rd Workshop on Quantitative Aspects of Programming Languages (QAPL’05)

  3. Behrmann G, David A, Larsen KG (2004) A tutorial on uppaal. In: Bernardo M, Corradini F (eds) Formal Methods for the Design of Real-Time Systems (SFM-RT 2004), volume 3185 of Lecture Notes in Computer Science. Springer, pp 200–236

  4. Bozga M, Graf S, Ober I, Ober I, Sifakis J (2004) Tools and applications II: The IF toolset. In: Bernardo M, Corradini F (eds) Formal Methods for the Design of Real-Time Systems (SFM-RT 2004), volume 3185 of Lecture Notes in Computer Science. Springer, pp 237–267

  5. Bruni R, Meseguer J (2003) Generalized rewrite theories. In: Baeten JCM, Lenstra JK, Parrow J, Woeginger GJ (eds) 30th International Colloquium on Automata, Languages and Programming (ICALP 2003), volume 2719 of Lecture Notes in Computer Science. Springer, pp 252–266

  6. Clavel M, Durán F, Eker S, Lincoln P, Martí-Oliet N, Meseguer J, Quesada JF (2002) Maude: Specification and programming in rewriting logic. Theor Comput Sci 285:187–243

    Article  MATH  Google Scholar 

  7. Clavel M, Dúran F, Eker S, Lincoln P, Martí-Oliet N, Meseguer J, Talcott C (2005) Maude manual (Version 2.1.1), http://maude.cs.uiuc.edu

  8. Eker S, Meseguer J, Sridharanarayanan A (2002) The Maude LTL model checker. In: Gadducci F, Montanari U (eds) Fourth International Workshop on Rewriting Logic and its Applications, volume 71 of Electronic Notes in Theoretical Computer Science. Elsevier

  9. Goodloe A, Gunter CA, Stehr M-O (2005) Formal prototyping in early stages of protocol design. In: Workshop on Issues in the Theory of Security (WITS’05), pp 67–80

  10. Gutierrez-Nolasco S, Venkatasubramanian N, Stehr M-O, Talcott CL (2004) Exploring adaptability of secure group communication using formal prototyping techniques. In: 3rd Workshop on Reflective and Adaptive Middleware (RM2004)

  11. Harel D (2000) From play-in scenarios to code: An achievable dream. In: FASE’00, Fundamental Approaches to Software Engineering, volume 1783 of Lecture Notes in Computer Science. Springer, pp 22–34

  12. Henzinger TA, Ho P-H, Wong-Toi H (1997) HyTech: A model checker for hybrid systems. Softw Tools Technol Transfer 1:110–122

    Article  MATH  Google Scholar 

  13. Kasera S, Bhattacharyya S, Keaton M, Kiwior D, Kurose J, Towsley D, Zabele S (2000) Scalable fair reliable multicast using active services. IEEE Network Mag 14(1):48–57 (Special Issue on Multicast)

    Article  Google Scholar 

  14. Knuth DE (1981) The art of computer programming: Seminumerical algorithms, vol 2, 2nd edn. Addison-Wesley

  15. Kumar N, Sen K, Meseguer J, Agha G (2003) A rewriting based model of probabilistic distributed object systems. In: Formal Methods for Open Object-Based Distributed Systems (FMOODS 2003), vol 2884 of Lecture Notes in Computer Science. Springer, pp 32–46

  16. Lien E (2004) Formal modelling and analysis of the NORM multicast protocol using Real-Time Maude. Master's thesis, Department of Linguistics, University of Oslo

  17. Meseguer J, Talcott CL (2002) Semantic models for distributed object reflection. In: Magnusson B (ed) 16th European Conference on Object-Oriented Programming (ECOOP 2002), volume 2374 of Lecture Notes in Computer Science. Springer, pp 1–36

  18. Meseguer J (1992) Conditional rewriting logic as a unified model of concurrency. Theor Comput Sci 96:73–155

    Article  MATH  MathSciNet  Google Scholar 

  19. Meseguer J (1993) A logical theory of concurrent objects and its realization in the Maude language. In: Agha G, Wegner P, Yonezawa A (eds) Research directions in concurrent object-oriented programming. MIT Press, pp 314–390

  20. Meseguer J (1998) Membership algebra as a logical framework for equational specification. In: Parisi-Presicce F (ed) WADT’97, volume 1376 of Lecture Notes in Computer Science, Springer, pp 18–61

  21. Meseguer J (2000) Rewriting logic and Maude: A wide-spectrum semantic framework for object-based distributed systems. In: Smith S, Talcott CL (eds) Formal Methods for Open Object-Based Distributed Systems, FMOODS 2000. Kluwer, pp 89–117

  22. Ölveczky PC, Keaton M, Meseguer J, Talcott C, Zabele S (2001) Specification and analysis of the AER/NCA active network protocol suite in Real-Time Maude. In: Hussmann H (ed) Fundamental Approaches to Software Engineering (FASE 2001), volume 2029 of Lecture Notes in Computer Science, Springer, pp 333–347

  23. Ölveczky PC, Meseguer J, Talcott CL (2004) Specification and analysis of the AER/NCA active network protocol suite in Real-Time Maude. Technical report, Department of Computer Science, University of Illinois at Urbana-Champaign

  24. Ölveczky PC, Meseguer J (2002) Specification of real-time and hybrid systems in rewriting logic. Theor Comput Sci 285:359–405

    Article  MATH  Google Scholar 

  25. Ölveczky PC, Meseguer J (2004) Specification and analysis of real-time systems using Real-Time Maude. In: Margaria T, Wermelinger M (eds) Fundamental Approaches to Software Engineering (FASE 2004), volume 2984 of Lecture Notes in Computer Science. Springer, pp 354–358

  26. Ölveczky PC, Meseguer J (2005) Real-Time Maude 2.1. In: Martí-Oliet N (ed) 5th International Workshop on Rewriting Logic and its Applications (WRLA 2004), volume 117 of Electronic Notes in Theoretical Computer Science. Elsevier, pp 285–314

  27. Ölveczky PC, Meseguer J (2006) Abstraction and completeness for Real-Time Maude. In: Denker G, Talcott CL (eds) 6th International Workshop on Rewriting Logic and its Applications (WRLA’06). To appear in Electronic Notes in Theoretical Computer Science

  28. Ölveczky PC, Thorvaldsen S (2006) Formal modeling and analysis of wireless sensor network algorithms in Real-Time Maude. In: 20th International Parallel and Distributed Processing Symposium (IPDPS 2006). IEEE Computer Society Press

  29. Ölveczky PC (2000) Specification and analysis of real-time and hybrid systems in rewriting logic. PhD thesis, University of Bergen

  30. Ölveczky PC (2004) Real-Time Maude 2.1 manual. http://www.ifi.uio.no/RealTimeMaude/

  31. Ölveczky PC (2005) Formal modeling and analysis of distributed systems in Maude. Course book for INF3230, Dept. of Informatics, University of Oslo

  32. Sen K, Viswanathan M, Agha G (2005) On statistical model checking of stochastic systems. In: 17th Conference on Computer-Aided Verification (CAV’05), volume 3576 of Lecture Notes in Computer Science. Springer

  33. Viry P (2002) Equational rules for rewriting logic. Theor Comput Sci 285:487–517

    Article  MATH  MathSciNet  Google Scholar 

  34. Yovine S (1997) Kronos: A verification tool for real-time systems. Softw Tools Technol Trans 1(1/2):123–133

    Article  MATH  Google Scholar 

Download references

Acknowledgments

We are grateful to Mark Keaton and Steve Zabele for their invaluable cooperation during the specification and analysis of a previous version, in Real-Time Maude 1.0, of the AER/NCA protocol suite. Their explanation of AER/NCA and related issues, their feedback to our specification efforts, and their suggestions of suitable initial states for the analysis parts were essential for the modeling and analysis described in this paper. We also thank the anonymous referees for many helpful comments on a previous version of this paper. Partial support of this research by ONR Grant N00014-02-1-0715, by NSF Grant CCR-0234524, by DARPA through Rome Labs. Contract F30602-97-C-0312, and by The Norwegian Research Council is gratefully acknowledged.

Author information

Authors and Affiliations

  1. Department of Computer Science, Thomas M. Siebel Center for Computer Science, 201 N Goodwin Ave, Urbana, IL, 61801-2302, USA

    Peter Csaba Ölveczky & José Meseguer

  2. Department of Informatics, University of Oslo, P.O. Box 1080 Blindern, 0316, Oslo, Norway

    Peter Csaba Ölveczky

  3. Computer Science Laboratory, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, 94025-3493, USA

    Carolyn L. Talcott

Authors
  1. Peter Csaba Ölveczky
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. José Meseguer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carolyn L. Talcott
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Csaba Ölveczky.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ölveczky, P.C., Meseguer, J. & Talcott, C.L. Specification and analysis of the AER/NCA active network protocol suite in Real-Time Maude. Form Method Syst Des 29, 253–293 (2006). https://doi.org/10.1007/s10703-006-0015-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-006-0015-0

Keywords

Search

Navigation