Specification and Analysis of a Reliable Broadcasting Protocol in Maude

The present work reports on an ongoing case study in which a new reliable broadcasting protocol (RBP) currently under development at the University of California at Santa Cruz (UCSC) has been formally specified and analyzed, leading to many corrections and improvements to the original design. Indeed, the process of formally specifying the protocol, and of symbolically executing and formally analyzing the resulting specification, has revealed many bugs and inconsistencies very early in the design process, before the protocol was implemented.

RBP performs reliable broadcasting of information in networks with dynamic topology. Reliable broadcasting is not trivial when the topology of the network can change due to failure and mobility. The aim is to ensure that all nodes that satisfy certain connectedness criteria receive the information within finite time, and that the source is notified about it. The protocol should furthermore incur as low latency and as few messages as possible.

A message-passing object-oriented approach seems particularly natural for communication protocols and can be naturally formalized in rewriting logic. Using the rewriting logic-based Maude interpreter, we can prototype and debug the RBP protocol specification. But since a protocol can have many different behaviors, to properly analyze the system it becomes important to explore not just the single execution provided by some default strategy, but many other executions. For this purpose we defined a search strategy that explores all executions of a system for a given initial configuration.
 

The amount of effort required in the formal specification and analysis process has been moderate, and it has been relatively easy for the researchers at UCSC to learn and use the specification formalism involved, so that the formal specification task has indeed been carried out in a joint way by researchers at SRI International, Stanford, and UCSC.
 
 

Maude Specifications and Samples

The two Maude specifications, the protocols for the static and the dynamic network topologies, were sequentially produced in a design process. The starting point of our specification effort was an informal written in pseudocode. Due to the complexity of the protocol, we chose to first formalize the protocol for the special case of static networks, that is, when no links fail and new new links are created. Analyzing the protocol in this simpler setting allowed us to discover weaknesses of the protocol before the specification of the much more complex protocol for dynamic networks. The dynamic protocols imposes much more problems and the need for more information to be stored. Therefore, the data structures of the dynamic protocol are more complex. Due to results from analysing the dynamic network case, we made changes to the protocol design to overcome error and inconsistencies. This resulted in a new pseudocode description.

• The static protocol
• The dynamic protocol

DGM+99

Denker, G., Garcia-Luna-Aveces, J.J., Meseguer, J., Ölveczky, P.C., Raju, Y., Smith, B., and Talcott, C. Specifying a Reliable Broadcasting Protocol in Maude. Internal Report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1999. Report version of DGM+99b. (PostScript)

DGM+99b

Denker, G., Garcia-Luna-Aveces, J.J., Meseguer, J., Ölveczky, P. C., Raju, Y., Smith, B., and Talcott, C. Specification and Analysis of a Reliable Broadcasting Protocol in Maude. In Hajek, B. and Sreenivas, R. S., editors, 37th Annual Allerton Conference on Communication, Control, and Computation, , University of Illinois, USA, September 22-24, 1999. (PostScript)

[Maude Home Page]