Beruflich Dokumente
Kultur Dokumente
the business aspect of this problem, namely, what dangers that computers pose on our privacy. And,
are the cost benefits of such an integration, and in a fourth invited lecture of this program area, G.
how wide a market is there for such integrated Gupta talked about the impact of computers on
systems? developing countries. There were Panel Discus-
These are the questions that the panelists ad- sions on computer induced unemployment and on
dressed in this panel, focusing on the issues that computer education. There were also discussions
they thought are the most critical. on what intelligent machines may do to us and
how vulnerable society is to dangers from full
scale introduction of computers.
8. Microprocessor Applications
Section 2. Specification and Formal Models formalized a new modelling technique (Structured
Finite State Automata-SFSA) which permits finite
The Power of Formal Models state automata to be structured so that operations
such as direct coupling and projections may be
R. Gustavsson and B. Pehrson (Uppsala Institute easily described and accomplished. The lecturer
of Technology, Sweden) compared two formal then briefly illustrated and commented on how the
techniques for modeling of concurrent systems. techniques may be applied to describe and validate
They were "Communicating State Machines" and distributed communication systems. The speaker
"Calculus Communicating Systems" (CCS). A also gave a simple example of techniques applied
variant of the Alternating Bit protocol was used as to validate the cooperation of Session/Transport
an illustrating example. Implementation specifica- adjacent entities in a local system.
tions are designed from an informal protocol
specification. The behavior of the composed enti- Constructive and Executable Specification
ties is given in each formula and transformed
within each theory. The lecturer went on to say, L. Logrippo (University of Ottawa, Canada),
discussed some of the problems connected with the
that apart from liveness, the implementation
formal specification of protocol services and pro-
specifications are observationally equivalent to the
posed some positive solutions. The lecturer intro-
service specification. The speaker showed in the
duced concepts of "instructive" and "executable"
CCS-based example, how interval temporal logic
specifications presented a model for the construc-
can be used to achieve proofs of total correctness.
tive specification of protocol services that is based
Both techniques support incremental design which
on the combined use of finite-state transducers
is desirable in an interactive design system, accord-
and abstract data types. The speaker also pre-
ing to the speaker.
sented a technique for executable service specifica-
Abstraction by Structural Reduction tions that uses a combination of abstract data
types and finite-state-automata concepts. This
B. Pehrson (Uppsala Institute of Technology, technique, the speaker went on to say, enables the
Sweden) presented a technique to reduce the func- definition of the transport service in a manner that
tional descriptions of a set of connected compo- is precise, terse and abstract. This concept seems
nents into a less complex functional description of to hold great promise for the definition of higher
the composed system. The speaker demonstrated level protocols and services that may involve com-
this technique by verifying the data link service plex data manipulation functions. Similar tech-
provided by the Alternating Bit protocol. The pro- niques, the speaker said in conclusion, have been
tocol specification is reduced into the specification shown elsewhere to be eminently suitable for the
of a queue. The basic idea is to abstract away all purpose of formal verification.
events which do not affect the behavior of the
composed system according to an equivalent crite- A Behavioral Description Language
rion. This technique provides a powerful tool for
G. Karjoth (University of Stuttgart, Fed. Rep.
mechanizing formal synthesis and verification in a
Germany) told the conference that in the behav-
hierarchical manner, Pehrson said. It has so far
ioral description language applied is a process
been used together with abstract machine descrip-
algebra to the specification of protocols in distrib-
tions with a finite number. However, it is a general
uted systems. Individual system components are
method, the speaker told the conference, which
described by their interactions which are observa-
could be used with other specification methods.
ble in the outside world and represent multi-way
The method is implemented in the design system
synchronized communication over explicit interac-
Caddie and has been used to verify some simple
tion points. The semantics of the language are
communication protocols.
defined by temporal logic axioms, using Wolper's
Structured Finite State Automata relativization procedure. The speaker said that they
provide a mathematical framework for the analysis
S. Budkowski and E. Najm (Agence de l'Infor- of protocols and for developing logical systems for
matique, Paris-la-D6fense, France) presented and proving their properties.
Conference Reports 149
In conclusion, the speaker said that it is hoped modelling and proving correct concurrent systems
that the first link has been made between abstract in which time appears as a parameter (such as
requirement specifications given in pure temporal communication protocols). Merlin's time Petri Nets
logic and more readable "normal form" specifica- were used for modelling these systems and a re-
tions given in algebraic expressions. cently developed enumerative method was em-
ployed for analyzing their behavior. This method
was applied to the specification and verification of
Session 3. Theory and Applications of Petri Nets a data transfer protocol and a bus allocation pro-
tocol.
Tools and Studies for Formal Techniques Alternative and complementary methods for
analyzing Time Petri Nets are being investigated,
M. Anttila, H. Eriksson, J. Ikonen, R. Kujansuu, the speaker told the conference. These include
L. Ojala and H. Tuominen (Helsinki University of reduction rules for preserving some properties and
Technology, Finland) discussed some experiences structural methods making use of the structure of
of using the place/transition-net analyzer. The the net for deducing properties of its behavior.
lecturer described to the conference the work of Also being investigated is extending the field of
developing tools for a Petri Net laboratory. In the application of the method towards performance
temporal logic domain an approach of using tem- analysis, the lecturer concluded.
poral logic to describe Petri nets was shown. In the
examples that the speaker showed, the formulas The 1SO Transport Service
describing CE-systems are quite long and com-
plicated to carry out manually. One solution, in J. Billington (Telecom Australia Research
the speaker's opinion, would be to mechanize some Laboratories, Australia) presented a formal speci-
decision procedures. There are many open ques- fication of the ISO-Transport System Definition.
tions in this area. The speaker said it might be This specification applies to a single instance of a
more beneficial to use branching time structures to connection. Six phases of the connection are
model nondeterminism in CE-systems. Another specified by simple separate numerical Petri Nets
interesting topic would, the lecturer concluded which may be easily combined to obtain the total
with, be to describe high-level nets using quanti- specification. The invocation of a service primitive,
fied temporal logic. the speaker went on to say, has been associated
with the firing of a transition using a label. The
Timed Petri Nets execution of NPN then describes the allowable
sequence of Transport Service primitives and the
Timed Petri Nets are ordinary Petri Nets with relationship between these at both ends of the
additional elements for modelling time. B. Walter connection.
(University of Stuttgart, Fed. Rep. of Germany) The speaker concluded with the claim that
introduced several types of timed Petri Nets for NPNs are a powerful graphic technique for the
modelling network protocols that make extensive specification of ISO services. The merits of NPNs
use of timers as well as the time behavior of the as a formal description technique are currently
physical system. Three types of net were con- being debated within CCITT and ISO, reported
sidered in the presentation: Condition/Event Nets, Billington.
Place/Transition Nets and Predicate/Transition
Nets. It was shown how to analyze timed Petri
Nets and how to check the validity of the modeled Session 4. Validation and Verification
timers. In particular, the speaker showed how to
model message delayers and timers. VA DILOC
speaker said, is the translation of the informal tool and the structured principles of the ISO refer-
description into a description using extended finite ence model. The main feature of the method is
state automaton using predicates. This automaton that it makes possible to prove that a protocol
describing the behavior of an entity for one con- provides a service and uses an underlying service
nection is first checked for correctness (con- correctly, according to the lecturer. A complete
sistency, state reachability, etc.) before it is used system for the automated verification of protocols
for a description based on programming language has been implemented. The lecturer provided the
and for protocol validation. conference with examples that illustrate both the
After some experiences of VADILOC/BS with specification and verification method.
protocols using simple messages, an extension has
been made, introducing new functions. This exten- Experience With Automated Verification Tech-
sion, called VADILOC/ES (extended system), is niques
more suitable for high level protocols for manipu-
lation variables. Both systems, the speaker con-
cluded with, are written in PASCAL and run on C.A. Sunshine (University of Southern Cali-
the CII-HB Multics system at I N R I A fornia, Marina del Rey) reported to the conference
(Rocquencourt, France). that at his institute four automated verification
systems were applied to a common set of com-
Link Initialization Procedure munication protocols to assess their capabilities.
The systems and their key features were Affirm,
A.E. Baratz and A. Segall (IBM Thomas J. Gypsy, Concurrent State Delta and Formal Devel-
Watson Research Center, New York) told the con- opment Methodology. Each system, the lecturer
ference that it is known that HDLC and other bit told the conference, showed different strengths in
DLC (Data Link Control) procedures ensure data specifying protocols and verifying their correct
transmission reliability on noisy links provided behavior. The presenter's experience showed that
that all transmission errors are detected and the important features of real protocols can be han-
link processes are synchronized at initialization. dled by current automated systems, but a great
The most commonly used DLC procedures are the deal of effort and ingenuity is required and further
bit-oriented DLC procedures such as HDLC, development efforts are needed before real proto-
SDLC, ADCCP or Alternating Bit. In this pre- cols can be fully and routinely verified.
sentation, the speaker showed that the HDLC
initialization procedure does not ensure synchroni- Verification via Executable Logic Specifications
zation and thus allows inadvertent loss of data.
The speaker proposed a new link initialization D.P. Sidhu (SDC, Pennsylvania, USA) dis-
procedure and proved that it does ensure synchro- cussed the uses of logic programming techniques
nization. in the specification and verification of communi-
cation protocols. The protocol specifications dis-
Automated Protocol Verification cussed are formal and directly executable. The
advantages of executable specifications, Sidhu as-
H. Eckert and R. Prinoth (Gesellschaft fi~r serted, are (1) the specification is itself a prototype
Mathematik und Datenverarbeitung, Fed. Rep. of of the specified system, (2) incremental develop-
Germany) first presented a short introduction of a ment of specifications is possible, and (3) behavior
specification tool for communication protocols, in exhibited by the specification when executed can
particular for those protocols having a potentially be used to check conformity of specification with
unbounded set of reachable states. The mathe- requirements. The speaker discussed Horn clause
matical foundation of the specification method is logic, which has a procedural interpretation, and
such that it is possible to compare different speci- the predicate logic programming language, PRO-
fications of the same protocol by means of homo- LOG, to specify and verify the functional correct-
morphisms. ness of protocols. PROLOG possesses a powerful
The speaker also presented a verification pattern-matching feature which is based on unifi-
method. This combines the developed specification cation, Sidhu concluded.
Conference Reports 151
of a trace facility to be included in the system at cally by an NIL compiler, which limits the extent
debug time, and allows coding and programming to which unvalidated programs can corrupt vali-
of the action modules to be pooled between many dated ones through dangerous side effects.
programmers at the design stage. The lecturer also discussed experience in using
Restorick described in detail the method used NIL as both a design and an implementation
to realize the state tables in 8086 and the function language for SNA.
funnel stepper. He also explained to the con-
ference the methods used to test the systems. The LC / 1 Language
speaker. This was followed by a summary of how The lecturer went on to explain that the formal
the algebraic valuation mechanism may be used to description in PDIL should (a) be able to describe
support the different functions of the protocol the protocol clearly and completely without en-
design environment. forcing over-specification, (b) serve for verifying
the correctness of the protocol, and (c) be able to
PA ND ORA derive an implementation in as much possible
automated way.
G.J. Holzmann and R.A. Beukers (Delft Univer-
sity of Technology, The Netherlands) told the
conference that the protocol design and analysis
Session 7. Protocol Testing
system named "PANDORA", a joint developing
project with the Netherlands PTT and the Delft
Layer-Independent Architecture
University of Technology, provides its users with a
controlled environment for protocol synthesis and
S. Palazzo, P. Fogliata and G. LeMoli (CREI,
formal analysis. PANDORA also offers both
Milano, Italy) introduced to the conference an
software and hardware tools for protocol assess-
architecture for a system performing the testing of
ment. PANDORA can assist the user in documen-
a generic OSI layer. It was shown that the system
tation of protocol designs by autonomously ex-
proposed can be used to test the protocol imple-
tracting SDL-diagrams, and has a set of tools for
mentations in terms of both protocol testing and
the generation of executable protocol implementa-
service testing, either in debugging or in certifica-
tions from abstract specifications.
tion phase. The structure of the system, the speaker
told the conference, is designed in such a way as to
Automated Protocol Development System
point out what is independent from the layer in
P.T. Blumer and D.P. Sidhu (SDC, Penn- which the protocol being tested lies. Finally the
sylvania, USA) gave an overview to the conference functional specification of the modules composing
of a formal specification technique and implemen- the system was described.
tation method for computer communication proto-
cols. The technique that the lecturer described was Testing and Diagnosis Aids"
developed at Bolt Beranek and Newman. A collec-
tion of useful software tools was also discussed. A. Giebler (Institut fi~r Datenfernverarbeitung,
The speaker focussed on a tool called the finite Fed. Rep. of Germany) gave an overview of a
state machine (FSM) analyzer, which can be used special protocol tester which has been developed
with this technique to verify certain protocol prop- by the GMD (Gesellschaft fgr Mathematik und
erties. The speaker described the application of the Datenverarbeitung) within the TESDI project
analyzer to an authentication protocol and gave (TESting and Diagnosis aid for higher protocols).
some interesting results. The lecturer discussed the following subjects: (a)
the concept of the protocol tester; (b) the applied
From Formal Description to A utomated Implemen- testing method; (c) the different testing functions;
tation (d) the used implementation concepts; and (e) an
example of a telex (transport layer) test.
J.P. Ansart, V. Chari and D. Simon (Agence de
l'Informatique, France) gave a brief overview of User Guided Test Sequence Generation
the basic concepts of the PDIL language (Protocol
Description and Implementation Language) H. Ural and R.L. Probert (University of Ottawa,
through an example of a description. The basic Canada) presented a computer-assisted approach
ideas underlying the PDIL translator were out- for generating test sequences from specifications
lined by the speaker. This translator is now availa- of communications protocols and services. The
ble, the conference was told, on a Multics system. approach is based on using attributed context free
The lecturer also explained how to pass from a grammars and is directly applicable in a logic
PDIL formal description to implementation by programming environment. The speaker said that
dealing with all the choices. the approach involves constructing test sequence
154 Conference Reports
specifications in attributed context free grammars, which have been developed to exploit the advances
implementing these specifications in logic pro- in specification and the impact these tools have
gramming as generators, and executing the genera- had on the testing and implementation of SNA
tors in a controlled fashion to generate test se- products. At the present time, the speaker told the
quences. conference, a Format And Protocol Language
The lecturer illustrated the approach on trans- (FAPL) is used for SNA specification. This lan-
port service and protocol specifications. Benefits guage is used not only in IBM's external publica-
include improvements in test design, specification, tions which describe the architecture, but also in
documentation and management. the production of a machine-readable, executable
description of SNA. After consideration of a theo-
Requirements for a Test Specification Language retical approach to product protocol testing in-
volving this executable definition, the speaker went
R.L. Probert and H: Ural (University of Ottawa, on to describe some of the techniques which have
Canada) examined the application of the notion of been applied in the real world of IBM products.
a test specification language to various issues in The lecturer concluded with a look to the future
the testing of protocol implementations. Sources both within IBM and in non-SNA-related projects.
of language design constraints, such as limitations
imposed by the test session architecture, were dis- The Routing Certification System
cussed. Also the speaker discussed the effects of
relationships among language features, degree of G.A. Harvey (Digital Equipment Corporation,
distribution of test control, the design of proper- Massachusetts, USA) described the design and
ties of test support tools and test initialization and construction of Routing Certification System of
reporting requirements. The speaker concluded (RCS) for testing conformance of a node to selected
with a progress report on a prototype test specifi- aspects of the Routing Layer protocol, as specified
cation language for specification-based testing of by the Digital Network Architecture (DNA) of
protocol implementations. Digital Equipment Corporation.
J.F. Billiard (CAP Sogeti Logiciel, France) pre- G.W. Cowin, R.W.S. Hale and D. Rayner (Na-
sented four basic rules which he has found useful tional Physical Laboratory, UK) introduced the
in obtaining significant validation results. Due to concept of an Assessment Center for Testing Open
the vast number of tests that can be performed, Systems Interconnection (OSI) protocol products.
the speaker proposed a tentative classification Physical architectures for assessment were com-
according to the function. Tests can be divided pared by the lecturer, and the general logical ar-
into two classes: qualitative tests and load accep- chitecture was discussed. The speaker also com-
tance tests. Qualitative tests are designed to con- pared different approaches for the test design of
trol the "communication machine" - node, net- 'Test Responder' and 'Encoder/Decoder' mod-
work, host or gateway - observes its protocol and ules, drawing on practical experience. A compari-
that its supplied facilities such as routing, billing, son was given of the two test definition methods in
statistics, etc. are correct. The speaker told the use of NPL. The speaker concluded that some
conference that load acceptance tests are designed useful lessons have been learned from the earlier
to control the possibilities of the machine in terms experience of using this philosophy and architec-
of data packets per second or maximum number ture. The lecturer felt that much more experience
of simultaneous communications. can be gained from NCC using the testing tools in
the pilot UK Assessment Center.
Testing of Protocols in SNA Products
Objective Understanding of Conformance
R.M.S. Cork (IBM, England) focused his talk
on the evolving specification of IBM's System D. Rayner (National Physical Laboratory, UK)
Network Architecture (SNA), some of the tools told the conference that currently all conformance
Conference Reports 155
testing of protocol implementations is subjective. Testing Tools for OSI Protocol Implementation
Each organization involved, the speaker went on
to say, is likely to have its own interpretation of R.J. Linn and J.S. Nightingale (Institute for
what constitutes conformance to a particular Computer Sciences and Technology, Washington
standard. The problem arises from poorly defined D.C.) described specific tools within the test ar-
standards. The definition of the protocol itself is chitecture which has been developed and refined
often confused with additional procurement re- using a prototype implementation of the ISCT
quirements for implementation of the protocol. Class 4 Transport Protocol. The language used for
The elimination of this and other sources of am- executing the tests, the speaker said, is based on
biguity was discussed by the speaker. A checklist representations of the service primitives of the
was provided at the conference which, the speaker layer under test. All possible combinations of
believed, could assist progress towards an objec- service primitives can potentially be specified using
tive understanding of conformance and therefore this language. Errors are introduced into the pro-
define objective conformance tests. tocol under test in a controlled manner by means
of an Exception Generator which resides between
Testing Implementations of OSI Protocols layers three and four at the Test Center. The
language which drives this tool provides the mech-
R.L. Linn and W.H. McCoy (Institute for Com- anism to edit protocol data units, concluded the
puter Sciences and Technology, Washington D.C.) lecturer.
explored problems associated with protocol test
design, semantics and completeness. A linguistics The proceedings of this conference have been
approach utilizing a generative grammar aug- edited by H. Rudin and C.H. West and published by
mented with probability distributions associated North-Holland under the title Protocol Specification,
with the production rules and random selection Testing, and Verification, II1. xiii + 531 pages. ISBN:
was used to produce test sequences for the 0-444-86769-4. Price: US$65.00 (USA/Canada),
NBS/ICST implementation of ISO Class 4 Trans- Df1.170.00 (rest of the world).
port protocol. The lecturer also presented ad-
vantages and limitations of the methodology.