TIMO: Timed Mobility in Distributed Systems

Transcription

1 TIMO: Timed Mobility in Distributed Systems Gabriel Ciobanu Romanian Academy, Institute of Computer Science, Iaşi Abstract A simple and expressive formalism called TIMO is presented as a simplified version of timed distributed π-calculus. TIMO aims to bridge the gap between the existing theoretical approach of process calculi and forthcoming realistic languages for multi-agent systems. Keywords-Distributed systems, timed migration and communication, local clocks, maximal parallelism, formal verification. I. INTRODUCTION The complexity of safety-critical systems, in particular the new systems involving time and mobility, is increasing year by year. They require appropriate formalisms and techniques for their specification and verification. Since these time-critical systems grow more complex and more powerful, it is important to find scaling formal methods for both specification and verification. Two successful formalisms for specification and verification of time-critical systems are timed automata and Petri nets; however, they are not easily scalable, a reason why we look for compositional specification and verification techniques. In terms of specification, a process calculus would solve the compositional issue. However, the use of absolute time given by the duration of the actions do not lead to good results in automated verification. This is a reason why we use a relative time provided by timeouts for the actions of such a process calculus. We consider a process calculus named TIMO with explicit migration allowing the use of timers for controlling process mobility and interaction. Migration involves several (explicit) locations. Each location has a local clock; the idea of local clocks attempts to specify distributed systems in a more accurate way. It is possible to use a single global clock, and we also consider such a real-time version of the process calculus. Timing constraints for migration allow to specify a temporal timeout after which a mobile process must move to another location. Two processes may communicate only if they are present at the same location. TIMO allows a maximal parallelism of actions. Thus we can specify and analyse complex timing systems in a new way, which is different from traditional ones. In terms of verification, interesting properties described by TIMO regarding process migration, time constraints, bounded liveness and optimal reachability could be analysed and checked. A verification tool called TIMO@PAT is developed by using an extensible platform for model checkers called PAT. II. TIMO Process calculi are used to model distributed systems. Various features were introduced to obtain such formalisms, including explicit locations in distributed π-calculus [13], and explicit migration and timers in timed distributed π- calculus [9]. Most of the papers considering time assume the existence of a global clock; however, there are several applications and systems for which considering a global clock would be inappropriate. The process calculus TIMO is introduced in [6] as a formalism for mobile systems in which it is possible to add timers to control process mobility and interaction. A local clock is assigned to each location, and each local clock determines the timing of actions executed at the corresponding location [7]. Inspired by TIMO, a flexible software platform supporting the specification of agents and allowing a timed migration in a distributed environment is presented in [5]. Timing constraints for migration allow one to specify a temporal interval in which a mobile process must move to another location. A timer denoted by 3 associated to a migration action go 3 work indicates that the process moves to location work after at most 3 time units. It is also possible to constrain the waiting period for a communication on a channel; if a communication action does not happen before a deadline, the process gives up and switches its operation to an alternative. E.g., a timer 5 associated to an output action a 5! 10 makes the channel available for communication only for a period of 5 time units. We assume suitable data sets including a set Loc of locations and a set Chan of communication channels. We use a set Id of process identifiers, and each id Id has the arity m id. In what follows, we use x to denote a finite tuple of elements (x 1,..., x k ) whenever it does not lead to confusion. P ::= a lt! v then P else P (output) a lt?( u: X) then P else P go lt l then P P P (input) (move) (parallel) 0 (termination) id( v) SP (definition) (stalling) L ::= l[[p ]] Located Processes N ::= L L N Networks Table I TIMO SYNTAX.

2 The syntax of TIMO is given in Table I, where P are processes, L, located processes, and N, networks [7]. For each id Id there is a unique definition of the form id(u 1,..., u mid : X1 id,..., Xm id id ) = P id, where P id is a process expression, the u i s are distinct variables playing the role of parameters, and the Xi id s are data types. In the syntax, a Chan is a channel; lt N { } is a deadline, where lt stands for local time; each v i in v is an expression built from data values and variables; each u i in u is a variable, and each X i in X is a data type; l is a location or a location variable; and S is a special symbol used to state that a process is temporarily stalled and will be re-activated after a time progress. The only variable binding constructor is a lt?( u: X) then P else P, which binds the variables u within P (but not within P ). We use fv(p ) to denote the free variables of a process P (and similarly for networks). For a process definition, we assume that fv(p id ) {u 1,..., u mid }, and so the free variables of P id are parameter bound. Processes are defined up to α-conversion, and {v/u,...}p is obtained from P by replacing all free occurrences of a variable u by v, etc, possible after α-converting P in order to avoid clashes. Moreover, if v and u are tuples of the same length then { v/ u}p denotes {v 1 /u 1, v 2 /u 2,..., v k /u k }P. Intuitively, a process a lt! v then P else P attempts to send a tuple of values v over channel a for lt time units. If successful, it continues as process P ; otherwise, it continues as process P. Similarly, a lt?( u: X) then P else P is a process that attempts for lt time units to input a tuple of values of type X and substitute them for the variables u. Mobility is implemented by a process go lt l then P which moves from the current location to the location l within lt time units. Note that since l can be a variable, and so its value is assigned dynamically through the communication with other processes, migration actions support a flexible scheme for the movement of processes from one location to another. By delaying the migration to another location, we can model in a simple way the movement time of processes within the network which is, in general, outside the control of a system designer. Processes are further constructed from the (terminated) process 0 and parallel composition P P. A located process l [P ] specifies a process P running at location l, and networks are composed of located processes. A network N is well-formed if there are no free variables in N, there are no occurrences of the special symbol S in N, and assuming that id is as in the recursive definition of a process, for every id( v) occurring in N or on the right hand side of any recursive equation, the expression v i is of type corresponding to X id i. The set of processes is denoted by P, the set of located processes by L, and the set of networks by N. The operational semantics of TIMO uses a structural equivalence on networks. This is the smallest congruence such that the first three equalities in Table II hold, and its role is to rearrange a network in order to apply the action rules which are also given in Table II. Using the first three equalities in Table II, one can always transform a given network N into a finite parallel composition of located processes of the form l 1 [P 1 ]... l n [P n ] such that no process P i has the parallel composition operator at its topmost level. Each located process l i [P i ] is called a component of N, and the parallel composition is called a component decomposition of the network N. Note that these notions are well defined since component decomposition is unique up to the permutation of the components. This follows from the rule (CALL) which treats recursive definitions as function calls that take a unit of time. Another consequence of such a treatment is that it is impossible to execute an infinite sequence of action steps without executing any time actions. Table II presents two kinds of rules: N λ N l and N N. The former is an execution of an action λ; the latter is a time step at location l. (NCOMM) N N N N (NASSOC) (N N ) N N (N N ) (NSPLIT) l[[p P ]] l[[p ]] l[[p ] (MOVE) (COM) (CALL) (PAR) (EQUIV) (TIME) l[[go lt l then P ]] l [SP ] v 1 X 1... v k X k l[[a lt! v then P else Q a lt?( u: X) then P else Q ] a l[[sp S{ v/ u}p ] l[[id( v)]] id@l l[[s{ v/ u}p id ] N λ N N N λ N N N N N λ N N λ N N l l N φ l (N) Table II TIMO OPERATIONAL SEMANTICS. N N In the rule (TIME), N l means that the rules (CALL) and (Com) as well as (MOVE) with lt = 0 cannot be applied to N for location l. Moreover, φ l (N) is obtained by taking the component decomposition of N and simultaneously replacing all components l [a lt ω then P else Q] by { l [Q] if lt = 0 l [a lt 1 ω then P else Q] otherwise and l [go lt l then P ] by l [go lt 1 l then P ]. Here ω stands for! v or?( u: X). After that, all the occurrences of the symbol S in N are erased since processes that were unfolded or interacted with other processes or migrated need to be activated (note that the number of the symbols S to be erased cannot exceed the number of the components of the network).

3 Name Definition Meaning T (init R client = 70 1 The balance of client is 70 and the balance of agent is 170. balance agent = 170) R 2 T client@bank client is able to arrive at bank. BL 1 R 1 tclient 10 R 1 is satisfied within 10 ticks for client. BL 2 R 2 tclient 5 R 2 is satisfied within 5 ticks for client. OR 1 R 1 min(tclient ) The shortest time of R 1 for client. OR 2 R 2 min(tclient ) The shortest time of R 2 for client. DF deadlock free A deadlock state is undesired. Table III INTERESTING PROPERTIES OF TRAVEL SHOP SYSTEM The rules of Table II express executions of individual actions. A complete computational step is captured by a derivation of the form N === Λ@l N, where Λ = {λ 1,..., λ m } (m 0) is a finite multiset of actions for some location l (i.e., actions λ i of the form or a or id@l) such that N λ1 λ N 1... N m m 1 l Nm N. That means that a derivation represents a sequence of individual actions followed by a clock tick, all happening at the same location. Intuitively, this captures the cumulative effect of the concurrent execution of the multiset of actions Λ at location l, and so we write N N. In terms of executing TIMO specifications on an abstract machine, one can imagine the latter as a device transforming well-formed networks into well-formed networks. At any stage, the machine selects one location l as the active one. Then, it executes all interprocess communications within location l as well as all migrations with expired (zero) timers in a maximally concurrent way. This is followed by the execution of arbitrarily many migrations with unexpired timers at location l. Finally, one decrements all the top-most timers in all the network components at location l which have not yet been involved in the current computational step. III. TIMO@PAT In order to support the automated analysis of TIMO models, we use the PAT [16] framework to develop a model checker for TIMO, called TIMO@PAT. The new tool is created in two steps: firstly, we encode the operational semantics of each TIMO construct to obtain a Labelled Transition System (LTS) semantics and the state space of the system; secondly, we define domain-specific properties for TIMO and develop model checking algorithms based on the generic algorithms provided by PAT s library. Figure 1 presents the overview of our tool TiMo@PAT. The tool can be found at TiMo System Parser Figure 1. LTS Simulator TiMo@PAT System Assertions Verifier Besides general properties of systems such as state reachability, deadlock freeness and so on, TiMo@PAT supports the analysis of domain-specific properties, including process location reachability and time-bounded process migration. In particular, TIMO properties are related to the implicit variables of TIMO processes and channels, including process location, process timer and channel data. To illustrate the types of properties that can be verified in TIMO@PAT, we present a simple TIMO system for a travel shop where a client process migrates between the locations home and travelshop to purchase a flight ticket. Example 1 (Simple Travel Shop System). T S = home[[client(130)]] server[[agent(100)]] server[[query]]; client(init : int) = go 1 travelshop flight?(price : int) go 1 home client(init price); agent(balance : int) = data?(price : int) go 1 travelshop flight! price agent(balance + amount); query = data! 100 query; Firstly, we might be interested in reachability properties (i.e., whether the system T S can reach a certain state). For example, we could check if the process client is able to arrive at location travelshop, or whether it is possible for the value of balance to become less than 100, during the system evolution. Secondly, we can integrate reachability properties with bounded constraints (i.e., by asking whether a particular state is reached before a given number of time steps have elapsed). For instance, we might verify whether the process client is able to arrive at location paying within less than 10 time units. Thirdly, if a (bounded) reachability property P R is valid, we can ask for the states of T S which both satisfy P R and are optimal with respect to a certain criterion. For properties of this kind, the TIMO@PAT tool provides an explicit path to one of the aforementioned states. As an example, we can obtain an execution path for the process client to arrive at location paying with the shortest time. Such properties are very practical for distributed systems such as banking and train ticketing systems. We can define different optimisation heuristics by changing the optimal constraint. For example, instead of looking for the shortest time of a certain client, the optimised constraint could be defined as the minimal sum of time of all clients in the system. A number of properties were analysed in [11] for the TIMO system described in [8]. These properties are defined in Table III. For the properties from R 1 to BL 2, the results are obtained in a short time (namely less than one second). This is because that on-the-fly model checking approach is

4 applied, and the analysis terminates when a target state is evidenced. As for optimised reachability and deadlock-free checking, it requires much more time, because the whole state space needs to be explored to answer the questions. Since the value increases infinitely for each process timer, we need to set a bound for each process timer in order to apply model checking. In our experiments, we set the timer bound at 10 ticks. This is reasonable for our example, because all the reachability properties are satisfied within 10 ticks, WHILE the optimal properties are looking for the shortest time. IV. TIMO WITH ACCESS PERMISSIONS In TIMO, there is unrestricted communication between processes residing at the same location and sharing the same channel. However, in more realistic settings, it is very likely that some channels are not available at certain locations, for reasons of security. As a means of dealing with such issues, we extend TIMO with access permissions for interprocess communication, resulting in a new formalism called PERTIMO (Permissions, Timers and Mobility). An important feature of the proposed formalism is that access permissions are dynamic. More precisely, processes can acquire new access permissions, or lose some of their current access permissions while moving from one location to another, modelling an important security feature. Access permissions in PERTIMO have a straightforward meaning: to communicate over a channel at a given network location, the sender process should have a put access permission, and the receiving process a get access permission. In general, the set of access permissions Γ of a process is a subset of the overall set of access permissions: AccPerm = df {put, get} Chan Loc We use the notation get a@l to denote an access permission (get, a, l) AccPerm and put a@l to denote (put, a, l) AccPerm. Intuitively, we work with access permissions over sockets where l represents an IP address and a represents a communication port. Inspired primarily by the security issues of network migration, we allow access permissions of a process to change while moving from one location to another. To model this, we use the following four basic access permission modification operations: put + a@l get + a@l put a@l get a@l where l is a location and a is a communication channel. The first two (put + a@l and get + a@l ) add access permissions, while the latter two (put a@l and get a@l ) remove access permissions. For instance, put + a@l (Γ) = Γ {put a@l } Then an access permission modification operation is either the identity on AccPerm, or a composition of some basic access permission modification operations such that if put + a@l is used in the composition then put a@l is not used (giving and at the same time removing an access permission does not make sense). For instance, get + a@l put b@l (Γ) = Γ {get a@l } \ {put b@l } For a given network, we then specify what the changes are to the access permission sets of processes migrating from one location to another. This is specified as an access permission modification mapping apmod which, for each pair of locations, returns a permission modification operation. Hence, if a process with the current access permissions Γ moves from location l to location l, its new set of access permissions becomes apmod(l, l )(Γ). In order to demonstrate the practical utility of PERTIMO, we aim an algorithm for verifying that a migrating process possesses a sufficiently rich set of initial access permissions so that whenever it attempts to communicate over a channel, it has the required access permission, irrespective of the other processes used in the construction of the system. While doing so, we take into account that migrating processes have their access permission sets modified according to the mapping apmod. As a result, we provide a solution to an important security problem related to migration and access permissions in the sense that one should rule out unauthorised attempts to communicate over the channels. V. PROBABILISTIC TIMO In order to allow a quantitative examination of behaviours, we add probabilities to TIMO, resulting in the new language PTIMO (probabilistic TiMo). When defining the semantics for PTIMO, we start from the fact that the behaviour of a well-formed network N consists of an alternating sequence of derivations (i.e., complete computational steps, in which a maximally parallel multiset of actions is performed at a certain location) and location selections (i.e., choosing the location at which the next complete computational step take place). Both derivations and location selections can be seen as forms of nondeterministic choice: in the case of derivations, the nondeterminism originates in the fact that moving processes can choose either to stay at the current location or to move to a new location, and in the fact that there are multiple possible outcomes when more than one sender and one receiver have the possibility of communicating over a certain channel, at the same time; in the case of location selections, the nondeterminism is caused by the fact that the semantics of TIMO does not include any rule regarding the selection. Therefore, we can obtain a probabilistic version of TIMO just by turning all the aforementioned nondeterministic choices into corresponding probabilistic choices. To create ptimo, we treat each source of nondeterminism in the following manner: 1) split complete computational steps into (a) a part containing only potential movements, and (b) a part containing only potential communications 2) define discrete probability distributions for each part, individually

5 3) define discrete probability distributions for location selections 4) combine the resulting probability distributions into joint distributions The new formalism assigns probabilities to the complete transitions that describe the behaviour of TIMO networks, by employing a number of schedulers, which solve the nondeterminism involved in the movement and in the communication of processes, as well as in the selection of active locations. Accordingly, PTIMO models are no longer labelled transitions systems like in TIMO, but instead they are labelled discretetime Markov chains (DTMCs). In order to benefit from the quantitative aspects of PTIMO, we introduce the probabilistic query language PLTM, which is inspired by the existing logic PCTL [12], but includes a number of features not commonly found in other logics, such as the ability to check properties which make explicit reference to specific locations and/or processes, to impose temporal constraints over local clocks (i.e., finite or infinite upper bounds, for each location independently), and to define complex action guards over multisets of actions. By using PLTM, we can express transient and steady-state properties, such as with probability greater than 0.5, the process P 1 will engage in communication at location l 1, on channels a 1 or a 3, before 3 time steps have elapsed at location l 1, and 4 time steps have elapsed at location l 2, or the longrun probability that no movement occurs during a complete transition is less than 0.3, or the average number of time steps until a message is communicated over channel a is less than 3.5. Furthermore, a simple model checking algorithm for PLTM can be obtained by adapting the standard algorithm for verifying PCTL properties [14]. VI. REAL-TIME TIMO Unlike the case for computer systems, the behaviour of several real-time distributed systems cannot be correctly captured through the use of local clocks. In order to address this issue, we define a real-time extension of TIMO, named RTIMO, in which a global clock is used for the dynamic evolution of the whole system. In RTIMO, the discrete transitions caused by performing actions with timeouts are alternated with continuous transitions. Although the syntax of RTIMO is close to that of TIMO, their semantics are dissimilar. The main differences between the two formalisms are the following: RTIMO employs a single global clock, while in TIMO there is a local clock for each location; the nature of time in RTIMO is continuous, and not discrete, like in TIMO. Consequently, action deadlines are specified using positive real numbers, and time steps can have any length; time progress in RTIMO is performed by delay rules, in contrast with TIMO where in each location l there is a local function φ l that is used to decrement all timers by 1 at location l; an evolution step in RTIMO is a sequence of individual actions followed by the passage of time, in contrast with TIMO where an evolution step is a sequence of individual actions happening at the same location l, followed by the passage of time and the reactivation of all the stalled processes residing at location l Within RTIMO it is possible to investigate certain interesting real-time properties, such as those related to safety (a specified error cannot occur) and bounded liveness (a configuration is reachable within a certain amount of time). In order to use well-known model checking tools, such as UPPAAL [15], for the verification of distributed networks with migration and communication, we establish a formal relationship between RTIMO and timed automata. UPPAAL can then be employed in verifying temporal properties of networks of timed safety automata, properties expressed in CTL (Computation Tree Logic). VII. CONCLUSION When modelling distributed systems it is useful to have an explicit notion of location and explicit timed migration. Here we present shortly a rather simple and expressive formalism called TIMO. It was introduced to bridge the gap between the existing theoretical approach of process calculi and forthcoming realistic languages for multi-agent systems. Several variants were developed during the last years: a probabilistic extension PTIMO [10], a real-time version RTIMO [1], access permissions given by a type system in PERTIMO [8]. Interesting properties of distributed systems described by TIMO refer to process migration, time constraints, bounded liveness and optimal reachability [2], [7]. A verification tool called TIMO@PAT [11] was developed by using Process Analysis Toolkit (PAT). A flexible software platform was introduced in [3], [5] to support the specification of agents allowing timed migration in a distributed environment [4]. A formal relationship between RTIMO and timed automata defined in [1] allows the use of model checking capabilities provided by UPPAAL. A probabilistic temporal logic called PLTM was introduced in [10] to verify complex properties making explicit reference to specific locations, temporal constraints over local clocks and multisets of actions. Acknowledgement Many thanks to the co-authors and colleagues involved in several activities related to TIMO : Maciej Koutny, Bogdan Aman, Calin Juravle, Armand Rotaru, Jason Steggles and Manchun Zheng. The work was supported by a grant from the Romanian National Authority for Scientific Research, CNCS-UEFISCDI, project number PN-II-ID-PCE REFERENCES [1] B. Aman, G. Ciobanu. Real-Time Migration Properties of RTIMO Verified in UPPAAL. In 11th International Conference on Software Engineering and Formal Methods, LNCS, vol.8137, 31 45, [2] B. Aman, G. Ciobanu, M. Koutny. Behavioural Equivalences over Migrating Processes with Timers. In IFIP Joint International Conference on Formal Techniques for Distributed Systems (32nd FORTE / 14th FMOODS), LNCS, vol.7273, 52 66, 2012.

6 [3] G. Ciobanu, C. Juravle. A Software Platform for Timed Mobility and Timed Interaction. In IFIP Joint International Conference on Formal Techniques for Distributed Systems (29th FORTE / 11th FMOODS), LNCS, vol.5522, , [4] G. Ciobanu, C. Juravle. Mobile Agents with Timers, and Their Implementation. Intelligent Distributed Computing IV. Studies in Computational Intelligence, vol.315, , [5] G. Ciobanu, C. Juravle. Flexible Software Architecture and Language for Mobile Agents. Concurrency and Computation: Practice and Experience, vol.24(6), , [6] G. Ciobanu, M. Koutny. Modelling and Verification of Timed Interaction and Migration. In Fundamental Approaches to Software Engineering, LNCS, vol.4961, , [7] G. Ciobanu, M. Koutny. Timed Mobility in Process Algebra and Petri nets. The Journal of Logic and Algebraic Programming, vol.80(7), , [8] G. Ciobanu, M. Koutny. Timed Migration and Interaction with Access Permissions. In 17th International Symposium on Formal Methods, LNCS, vol.6664, , [9] G. Ciobanu, C. Prisacariu. Timers for Distributed Systems. In 4th Workshop on Quantitative Aspects of Programming Languages, ENTCS, vol.164(3), 81 99, [10] G. Ciobanu, A. Rotaru. A Probabilistic Logic for PTIMO. In 10th International Colloquium on Theoretical Aspects of Computing, LNCS, vol.8049, , [11] G. Ciobanu, M. Zheng. Automatic Analysis of TIMO Systems in PAT. In Proc. 18th International Conference on Engineering of Complex Computer Systems, , [12] H. Hansson, B. Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, vol.6(5), , [13] M. Hennessy. A distributed π-calculus. Cambridge University Press, [14] M. Kwiatkowska, G. Norman, D. Parker. Stochastic Model Checking. In Formal Methods for Performance Evaluation. Lecture Notes in Computer Science, LNCS, vol.4486, , [15] K.G. Larsen, P. Petterson, W. Yi. UPPAAL in a Nutshell. International Journal on Software Tools for Technology Transfer, vol.1(2), , [16] J. Sun, Y. Liu, J.S. Dong, J. Pang. PAT: Towards Flexible Verification under Fairness. In 21th International Conference on Computer Aided Verification, LNCS, vol.5643, , 2009.