Model Checking CSMA/CD Protocol Using an Actor-Based Language

Similar documents
Model Checking CSMA/CD Protocol using an Actor-Based Language

Formal Verification of the IEEE 802.1D Spanning Tree Protocol Using Extended Rebeca

Compositional Semantics of an Actor-Based Language Using Constraint Automata

Schedulability, Deadlock Freedom, and Performance Analysis of Timed Actors

Integrating Module Checking and Deduction in a Formal Proof for the Perlman Spanning Tree Protocol (STP)

Lecture 5 The Data Link Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Lecture 6 The Data Link Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

High Level View. EE 122: Ethernet and Random Access protocols. Medium Access Protocols

EE 122: Ethernet and

Multiple Access. Data Communications and Networking

LECTURE PLAN. Script. Introduction about MAC Types o ALOHA o CSMA o CSMA/CD o CSMA/CA

Principles behind data link layer services

The Maude LTL Model Checker and Its Implementation

CS 43: Computer Networks Switches and LANs. Kevin Webb Swarthmore College December 5, 2017

Action Language Verifier, Extended

2 after reception of a message from the sender, do one of two things: either the message is delivered to the receiver, or it is lost. The loss of a me

Data Link Control Protocols

Summary of MAC protocols

Principles behind data link layer services:

Principles behind data link layer services:

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

CHAPTER 15 LOCAL AREA NETWORKS ANSWERS TO QUESTIONS

CMPE 150/L : Introduction to Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 18

Markov Chains and Multiaccess Protocols: An. Introduction

Temporal Logic and Timed Automata

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Lecture 9 The Data Link Layer part II. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Lecture 8 The Data Link Layer part I. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Medium Access Protocols

LAN PROTOCOLS. Beulah A AP/CSE

Lecture 6. Data Link Layer (cont d) Data Link Layer 1-1

Distributed Queue Dual Bus

Comparison of NoC Routing Algorithms Using Formal Methods

CS 3640: Introduction to Networks and Their Applications

A Finite State Model for IEEE Wireless LAN MAC DCF

Access Technologies! Fabio Martignon

LAN Overview (part 2) Interconnecting LANs - Hubs

Modeling System Architecture and Resource Constraints Using Discrete-Event Simulation

Aloha and slotted aloha

Media Access Control (MAC) Sub-layer and Ethernet

Protocol Specification. Using Finite State Machines

CS 3516: Advanced Computer Networks

Data and Computer Communications. Chapter 11 Local Area Network

The SPIN Model Checker

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Model-Checking Concurrent Systems

ECEN 5032 Data Networks Medium Access Control Sublayer

Formal Analysis and Verification of a Communication Protocol

CSE 461: Multiple Access Networks. This Lecture

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

CS 3640: Introduction to Networks and Their Applications

Computer Networks Principles LAN - Ethernet

Link layer: introduction

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

TSIN01 Information Networks Lecture 3

A Verification Method for Software Safety Requirement by Combining Model Checking and FTA Congcong Chen1,a, Fuping Zeng1,b, Minyan Lu1,c

CSE/EE 461 Wireless and Contention-Free Protocols

Binary Decision Diagrams and Symbolic Model Checking

An Efficient Scheduling Scheme for High Speed IEEE WLANs

CSEN 503 Introduction to Communication Networks. Mervat AbuElkheir Hana Medhat Ayman Dayf. **Slides are attributed to J. F. Kurose

Ethernet. Introduction. CSE 3213 Fall 2011

Data Link Layer, Part 5. Medium Access Control

LANs. Local Area Networks. via the Media Access Control (MAC) SubLayer. Networks: Local Area Networks

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

EECS Introduction to Computer Networking. Local Area Networks / Ethernet. Hub

Hybrid Rebeca: Modeling and Analyzing of Cyber-Physical Systems

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Getting Connected (Chapter 2 Part 4) Networking CS 3470, Section 1 Sarah Diesburg

CCM 4300 Lecture 5 Computer Networks, Wireless and Mobile Communications. Dr Shahedur Rahman. Room: T115

Review. Error Detection: CRC Multiple access protocols. LAN addresses and ARP Ethernet. Slotted ALOHA CSMA/CD

COS 140: Foundations of Computer Science

Design and Analysis of Distributed Interacting Systems

Computer Network Fundamentals Spring Week 3 MAC Layer Andreas Terzis

Data Communications. Automatic Repeat Request Medium Access Control

Network Performance: Queuing

Problem Set Name the 7 OSI layers and give the corresponding functionalities for each layer.

MAC in /20/06

Today. Last Time. Motivation. CAN Bus. More about CAN. What is CAN?

Introduction to LAN Protocols

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Modelling and Simulation of Asynchronous Real-Time Systems using Timed Rebeca

CS 716: Introduction to communication networks. - 9 th class; 19 th Aug Instructor: Sridhar Iyer IIT Bombay

1. Data Link Layer (Layer 2)

Random Access. 1. Aloha. 2. Slotted Aloha 3. CSMA 4. CSMA/CD

Scenario Graphs Applied to Security (Summary Paper)

Design and Performance Evaluation of a New Spatial Reuse FireWire Protocol. Master s thesis defense by Vijay Chandramohan

Distributed Deadlock Detection for. Distributed Process Networks

CS 640 Lecture 4: 09/11/2014

The Link Layer II: Ethernet

IEEE , Token Rings. 10/11/06 CS/ECE UIUC, Fall

Multiple Access Links and Protocols

Data Link Layer. Our goals: understand principles behind data link layer services: instantiation and implementation of various link layer technologies

COS 140: Foundations of Computer Science

Wireless Communication and Networking CMPT 371

Ionuţ Buricea. Trying to extend this work to timed protocols, I studied the verification of timed systems

The MAC Address Format

Modelling a Video-on-Demand Service over an Interconnected LAN and ATM Networks

ECE 4450:427/527 - Computer Networks Spring 2017

Protocols for Multiaccess Networks

Transcription:

Model Checking CSMA/CD Protocol Using an Actor-Based Language Marjan Sirjani 1,2, Hassan Seyyed Razi 2, Ali Movaghar 1 Mohammad Mahdi Jaghoori 1, Sara Forghanizadeh 2, Mona Mojdeh 2 1 Department of Computer Engineering, Sharif University of Technology Azadi Ave., Tehran, Iran 2 Department of Electrical and Computer Engineering, Tehran University Karegar Ave., Tehran, Iran Abstract: Formal verification techniques are used to obtain correct and reliable systems. In this paper we use the actor-based language, Rebeca, for modeling the CSMA/CD Protocol. In Rebeca, each component in the system is modeled as a reactive object. Reactive objects are encapsulated, with no shared variables, communicating via asynchronous message passing. Rebeca Verifier is a front-end tool, used for translating Rebeca code to the languages of existing model checkers. Different versions of CSMA/CD protocol are model checked and the results are summarized. Key-Words: Protocol verification, Actor model, Reactive systems, Model checking, Rebeca, CSMA/CD 1 Introduction With the growing usage of software systems in safety-critical applications, the demand for developing highly reliable systems has increased. Using formal methods in general, and applying formal verification approaches specifically, is a way to obtain reliable systems. Here, we use the actor-based language, Rebeca, for modeling an Ethernet Protocol and model check it using the Rebeca Verifier tool. Rebeca(Reactive Objects Language) is an actor-based language for modeling reactive systems. In Rebeca, systems are modeled as independent reactive objects. These reactive objects have encapsulated states with no shared variables and communicate by asynchronous message passing. Rebeca is supported by Rebeca Verifier [9], as a tool that automatically translates Rebeca codes into SMV [1] or Promela [2]. Translated codes can be model checked by NuSMV. or Spin, respectively. CSMA/CD (Carrier Sense, Multiple Access with Collision Detection) is a protocol for communication on a broadcast network with a multiple access medium. For modeling CSMA/CD protocol in Rebeca, we use the Timed Automata model of the protocol which is based on the description in [7]. The concurrency in the CSMA/CD protocol results from the common usage of a broadband transmission medium by several independently acting stations. Related work In [6], a model of the CSMA/CD protocol is used as an example to describe the implementation and application of a tool that handles formal specifications written in the process calculus. In [5], a compositional verification approach is proposed and the CSMA/CD protocol is used as a benchmark to show the efficiency of this approach using their tool RT-IOTA. The protocol is modeled in Timed Automata. Another work based on Timed Automata is presented in [4]. In that paper a tool is presented which provides reachability analysis and refinement checking using BDD. The results are evaluated using the CSMA/CD protocol as the main case study. Synchronous message passing is used in modeling CSMA/CD in CCS and Timed Automata. Also,

in Timed Automata one is able to model the real time. In Rebeca, we modeled the protocol based on asynchronous message passing, without explicit receive statements. Passing of time can be modeled by messages waiting in the queues. Starting from a model with eight million reachable states in the state space, we applied some abstractions, simplifications, and optimizations to get less than two thousands reachable states. Plan of the paper In the following section we explain Rebeca, as a tool-supported modeling langauge, that can be used for modeling and verification of reactive systems. In Section 3, modeling CSMA/CD protocol in Rebeca is explained. Section 4 shows the different models of the protocol, and the model checking results. In Section 5, we explain the conclusion and future works. 2 Rebeca Rebeca [8] is an actor-based language [3], with independent reactive objects, communicating by asynchronous message passing, and using unlimited buffers for messages. Our objects are reactive and self-contained. We call each of them a rebec, for reactive object. Computation takes place by message passing and execution of the corresponding methods of messages. Each message specifies a unique method to be invoked when the message is serviced. Each rebec has an unbounded buffer, called a queue, for arriving messages. Each rebec is instantiated from a class and has a single thread of execution. We define a model, representing a set of rebecs, as a closed system. It is composed of rebecs, which are concurrently executed, and are interacting with each other. When a message is read from the queue, its method is invoked and the message is removed from the queue. 2.1 Rebeca Verifier Rebeca Verifier is an environment to create Rebeca models, edit them, and translate them to SMV or Promela [9]. Also, modeler can enter the properties to be verified. The output code can be model checked by NuSMV or Spin. NuSMV is a symbolic model checker which verifies the correctness of properties for a finite state system. The system should be modeled in the input language of NuSMV, called SMV, and the properties should be specified in CTL or LTL. Spin is a model checker that supports the design and verification of asynchronous process systems. 3 CSMA/CD Protocol Specification in Rebeca send rec send rec MAC1 M MAC2 Figure 1. The MAC sublayer of CSMA/CD protocol In this section, we briefly describe the Media Access Control (MAC) sub layer of the Carrier Sense, Multiple Access with Collision Detection (IEEE 802.3 CSMA/CD) communication protocol. This protocol is used in multiple access shared media environments such as Ethernet LANs, which use a shared bus for connecting a number of independent computers. The protocol specification consists of MAC entities interconnected by a bi-directional Medium. Each MAC is representative of a computer in the data link layer. The MAC entities are identical for all computers and can both transmit and receive messages over the shared Medium. This means that collisions may occur on the Medium (if two MAC s transmit simultaneously). It is assumed that collisions will be detected in the Medium and signaled to every MAC. Each MAC after transmitting a packet over the Medium, waits to make sure that no collision has occurred; but if collision occurs, it tries to retransmit its last packet, until it gets the chance to send the packet successfully without any collision. As shown in Figure 1, a MAC may receive send messages from its higher level, indicating a new packet to be sent over the Medium. The MAC cannot

process the next packet before it has transmitted the previous packet successfully over the Medium. In the simplified model of the protocol shown in Figure 1, the target of a packet is clearly the other MAC present in the composition. Each MAC, similarly, signals a rec message to its higher level upon successful receipt of a packet from the Medium. receivedsend= false Start receivedsend = true / M.b() Transfer - / M.e() acknowledged= true, col= true / M.b() Modeling in Rebeca For modeling this protocol in Rebeca, we defined two active classes: one for the MAC class and another for the Medium class, as shown in Figures 4 and 5. We do not include the higher level components in our model. The role of the components in the higher level is abstracted in our model using a nondeterministic choice in the MAC for deciding when a new packet is available for sending. The other role of this layer, which is receiving the packets, does not change any thing in the model and can easily be ignored. The composition of our model consists of two instances of the MAC class and one instance of the Medium class. These MACs communicate with the Medium via asynchronous message passing. In order to send a packet, each MAC goes through the following scenario, as shown in Figure 2. After it has decided to send a packet in the start state, the MAC sends a b message to the Medium and enters the transfer state. In the transfer state, it sends an e message to the Medium, indicating the end of the packet. Then if no collision has occurred, packet transmission is finished and the MAC can get back to the start state; otherwise, it should retransmit the last packet by sending a new b to the Medium and going back to the transfer state. We name the above cycle, the Send cycle of the rebec MAC. Figure 3 shows the Send cycle of the Medium. Collision is detected by the Medium if both MACs try to send packets at the same time. However, since we are using asynchronous message passing, collision in our model is defined as the Medium receiving two b messages from both MACs before it has received their corresponding e messages. This way of modeling collision (the coincidence of the time that two MACs try to send packets) shows how we can model the concept of time using asynchronous message passing. That is why we do need two distinct messages showing the beginning and the end of a packet, to be able to identify an interval during which collision may occur. The important point here is that although the acknowledged= true, col= false Wait for Ack acknowledged = False Figure 2. State Chart of a MAC showing the Send cycle MACs work independently from the Medium, they need to wait for the Medium s response after sending b and e to make sure whether collision has happened. This is achieved by repeatedly sending the wait4ack message to self until the acknowledgment from the Medium is received. The Medium on the other hand, needs to wait for the MAC s both b and e messages to make sure whether collision has happened or not. Therefore, the Medium only after receiving e from a MAC can determine if its transmission has been collision-free, and give corresponding acknowledgment. In order to simplify the model, the receipt of a packet is represented by only one message from the Medium to the receiving MAC, after which the Medium is assumed to be empty and ready for the next packet transmission. This has no effect on the generality of the model; because we can assume that the MAC starts receiving sometime in between receiving b and e messages from the other MAC, and ends receiving upon receipt of rec message, which is sent by Medium immediately after processing the e message from the sending MAC. It should be noted that after receiving message ackrec from both of the MACs, any b from either of them no longer collides with this finished transmission. When the Medium is processing an e message, if no collision has happened, a collisionfalse message can be sent to the sender of the e message. On the other hand, which is the case of a collision, the collisiontrue message needs to be broadcast to both MACs. In such a case, the Medium surely will receive two e messages, because it already has received two bs. If we do the broadcast just at the first e, we may lose

Collision r2= false r1= false -/mac2.rec() Wait for ack Wait for ack e1 r2= true/mac1.collisionfalse r1= true/mac2.collisionfalse -/mac1.rec() e2 e (Mac1) Idle e (Mac2) b (Mac2) b2 b1 b (Mac1) b (Mac2) b (Mac1) Collision -/ ask Macs to retranstmit -/ ask Macs to retransmit Figure 3. State Chart of a Medium showing the Send cycle track the bs and the next e (which should be ignored) may conflict with the next transmission from the MAC that had sent the first e. 4 Verification Results The CSMA/CD protocol (shown in Figures 4 and 5) is verified using Rebeca Verifier. We used Rebeca Verifier to generate codes in both SMV and Promela. The results of verification of the last version of our model by NuSMV is 1438 reachable states out of 2.2378e+21 total states. In Spin, the max depth is 6603, and the number of stored states is 9184. In the preliminary versions of our Rebeca model, the number of reachable states in equivalent SMV model exceeds 8 million. Version 6 in Table 1 represents one of these versions. The number of reachable states, the CPU time for computing these states, and also the memory used in this computation are shown. Table 1 shows the results of executing NuSMV on a Pentium IV 2.00 GHz (full cache) system with 1.0 GB RAM. Existence of redundant message servers in the MACs, although correct, results in an excessive increase in the number of states. This is caused by the activeclass Mac(3) { knownobjects { Medium medium; statevars { boolean receivedsend; boolean col; boolean acknowledged; msgsrv initial() { acknowledged = false; receivedsend =?{true, false; col=false; self.start(); msgsrv rec(){ medium.ackrec(); msgsrv start (){ if (receivedsend){ receivedsend=false; medium.b(); self.transfer(); else { receivedsend =?{true, false; self.start(); msgsrv transfer(){ acknowledged = false; medium.e(); self.wait4ack(); msgsrv wait4ack (){ if (acknowledged) { acknowledged = false; if (col){ medium.b(); /* retransmit */ self.transfer(); receivedsend =?{true, false; self.start(); else { self.wait4ack(); msgsrv collisiontrue(){ col = true; acknowledged = true; msgsrv collisionfalse(){ col = false; acknowledged = true; Figure 4. Rebeca code for Class MAC

activeclass Medium(5) { knownobjects { Mac mac1; Mac mac2; statevars { boolean bb1; boolean bb2; boolean r1; boolean r2; boolean col; msgsrv initial() { bb1=false; bb2=false; col = true; msgsrv b() { if (sender == mac1){ bb1 = true; bb2 = true; msgsrv e() { if (sender == mac1) { if (!bb2 && bb1){ mac2.rec(); self.ackreceive1(); bb1 = false; col = false; else { if (bb1){ mac1.collisiontrue(); mac2.collisiontrue(); bb1 = false; col = true; mac1.rec(); self.ackreceive2(); col = false; bb2=false; msgsrv ackreceive1(){ if (!r2){ self.ackreceive1(); mac1.collisionfalse(); r2 = false; msgsrv ackreceive2(){ if (!r1){ self.ackreceive2(); mac2.collisionfalse(); r1 = false; msgsrv ackrec(){ if (sender == mac1){ r1 = true; r2 = true; Figure 5. Rebeca code for active class Medium fact that a rebec needs to send a message to itself in order to make a transition from one state to another. Therefore, arrival of a message between each two state transitions can cause a virtual new state. It increases the state space proportional to the number of steps in the life cycle of the rebec. Removing redundant message servers results in version 8 in Table 1. As long as the sender MAC gets more turns than the receiver MAC, the number of messages in the queue increases. In order to handle this problem, some kind of logical fairness is introduced in versions 9.5 and 9.6. To ensure that MACs receive incoming packets, acknowledgements are sent, declaring that a MAC has received the last packet; i.e., it finds the chance for execution in the situation explained above. The safety property, which is verified and proved to be true in the model, is that no collision occurs when one of the MACs receives a packet. For that, we defined a col variable in the Medium indicating the collision. The LTL (Linear Temporal Logic) specification of this property is as follows: G((medium.r1 medium.r2)!(medium.col)) Version 9.6 is developed in order to check the property that there is a possible computation where although collision happens, the packet is finally received. For this purpose, we simplified the model in the way that only one packet is sent. If collision occurs, the MAC retransmits the packet. The LTL specification of this property is as follows: (mac1.col mac1.acknowledged) F (medium.r2) and its symmetric counterpart: (mac2.col mac2.acknowledged) F (medium.r1) In global, the other MAC may never receive the packet, as collision may happen forever. So, the following specifications are false: G((mac1.col mac1.acknowledged) F (medium.r2)) G((mac2.col mac2.acknowledged) F (medium.r1))

Version States Compute time Memory (KB) 6 8 10 6 00 : 23 : 10 972, 413 8 2 10 6 00 : 05 : 23 118, 016 9.5 1438 00 : 00 : 00 14, 292 9.6 951 00 : 00 : 00 13, 384 Table 1. Versions compared using NuSMV 5 Conclusion and Future Work We used Rebeca to model IEEE 802.3 CSMA/CD protocol. The protocol has been modeled in different levels of abstraction by Rebeca and then model checked by NuSMV and Spin. In doing so, we showed how to model the concept of time using asynchronous message passing. We also encountered queue-overflow problem. It happens when a MAC is allowed to send more packets than the other one can take. This is due to less execution turns given to the receiving MAC. However, we were able to solve this problem by synchronizing the MACs, preventing the sender from sending a new packet before the receiver takes the previous one; and thus avoiding queue overflow. Rebeca Verifier will be extended to support direct model checking. In that version, the state space can be abstracted from the queue, reducing the total state space drastically. [5] J. Jeffrey, P. Tsai, Y. Eric, T. Juan, and A. Sahay. Model and algorithm for efficient verification of high-assurance properties of real-time systems. IEEE Transactions on Knowledge and Data Engineering, Vol.15, No.2, 2003, pp. 405-422. [6] R. Lichtenecker, K. Gotthardt, and J. Zalewski. Automated verification of communication protocols using CCS and BDDs. In Proceedings of IPPS/SPDP Workshops, 1998, pp. 1057-1066. [7] J. Parrow. Verifying a CSMA/CD-protocol with CCS. In Proceedings of the IFIP Symposium on Protocol Specification, Testing and Verification, Atlantic City, New Jersey, North-Holland, 1988, pp. 373-387. [8] M. Sirjani and A. Movaghar. An actor-based model for formal modelling of reactive systems: Rebeca. Technical Report CS-TR-80-01, Tehran, Iran, 2001. [9] M. Sirjani, A. Shali, M.M. Jaghoori, H. Iravanchi, and A. Movaghar. A front-end tool for automated abstraction and modular verification of actor-based models. In Proceedings of ACSD 2004, to appear. References [1] NuSMV user manual. availabe through http://nusmv.irst.itc.it/nusmv/ userman/indexv2.html. [2] Spin user manual. available through http://netlib.belllabs.com/netlib/spin/whatisspin.html. [3] G. Agha, I. Mason, S. Smith, and C. Talcott. A foundation for actor computation. Journal of Functional Programming, Vol.7, 1997, pp. 1-72. [4] Beyer D., Lewerentz C., and Noack A. Rabbit: A tool for BDD-based verification of realtime systems. In Hunt W.A., Jr. Somenzi, and F. Somenzi, editors, Proceedings of CAV 2003, volume 2725 of Lecture Notes in Computer Science, Springer-Verlag, Berlin, Germany, 2003, pp. 122-125.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback