146 Conference Reports
the business aspect of this problem, namely, what
are the cost benefits of such an integration, and
how wide a market is there for such integrated
systems?
These are the questions that the panelists ad-
dressed in this panel, focusing on the issues that
they thought are the most critical.
8. Microprocessor Applications
Microprocessors find applications everywhere
from cars to houses to factories. There were talks
in this conference area on microprocessor design
and technology, notably by G.E. Moore on the
evolution of microprocessors, by C. Mead on ultra
parallel designs, by T. Matsumura on future trends,
and by J. Nicoud by standardization issues. There
were Panel Discussions held on aspects of Robotics
and how it will change factories. Discussions were
also held on the VLSI chip and how they should
be designed into systems.
9. Social and Economic Implications
Are we better off with the computer and the
information revolution, or not? D. Dennett dis-
cussed how computers should fit people's needs.
N. Longworth discussed how to educate people for
the use of computers. A. Westin presented the
Protocol Specification, Testing and
Verification
The need for standards in computer communica-
tion systems and the growing complexity of func-
tions covered by these standards have created a
burgeoning demand for carefully conceived tech-
niques to specify, design, verify, implement and test
computer communication protocols. The Workshop
at the IBM Zurich Research Laboratory in Ruschli-
kon (Switzerland) from May 31 to June 2, 1983 was
dangers that computers pose on our privacy. And,
in a fourth invited lecture of this program area, G.
Gupta talked about the impact of computers on
developing countries. There were Panel Discus-
sions on computer induced unemployment and on
computer education. There were also discussions
on what intelligent machines may do to us and
how vulnerable society is to dangers from full
scale introduction of computers.
10. Computers in Everyday Life
Computers are slowly and visibly influencing
many aspects of our everyday life. In their Invited
Lecture, S. Hiltz and M. Turoff talked about this
effect. A. Bisseret discussed how we can live with
computers.
Panel Discussions were held on personal com-
puters and citizen participation in the informatics
revolution. There was also a panel on computer
literacy for the average person. Finally, after wit-
nessing the art of programming, the audience was
able to see computers generate art.
The proceedings of IFIP'83 - the 9th World Com-
puter Congress have been edited by K.E.A. Mason
and published by North-Holland under the title In-
formation Processing 83. 1983. xvi + 964 pages.
ISBN: 0-444-86729-5. price: US $98.00 (USA/
Canada), Dfl.260.00 (rest of the world).
the third in a series of workshops organized under
the auspices of IFIP Working Group 6.1 devoted to
this theme. As the meeting was a workshop, the
requirement for attendance was submission and
presentation of a paper. The participants came from
a wide variety of institutions, including universities,
government laboratories and computer manufac-
turers in ten different countries. This workshop has
 Conference Reports
made an important contribution to the exchange of
ideas between the research workers and those in-
volved with the practicalities of developing com-
munication systems, according to the Workshop
organizers Harry Rudin and Colin West.
The organization of such a meeting c o n s u m e s
considerable resources. IBM Zurich Research
Laboratory provided the support which made this
c o n f e r e n c e possible.
Due to the interest that this workshop has
created, another workshop will be held in North
America in the spring of 1984.
Section 1. Protocol Theory and Analyses
Interval Logic
R.L. Schwartz, P.M. Melliar Smith and F.H.
Vogt (SRI International, Menlo Park, Ca., USA)
presented a new interval-based temporal logic. The
logic, the lecturer said, stems from experience in
using temporal logic for specifying protocols
standards. The use of intervals to establish a con-
text for temporal assertions provides a high-level
structure for protocol specification. The lecturer
presented an informal introduction to the logic,
and illustrated with examples of asynchronous
queues and the Alternating Bit protocol.
Selection / Calculus Model
S, Aggarwal, R.P. Kurshan, and K. Sabnami
(Bell Laboratories, N.J.) described the main fea-
tures of the selection/resolution model. This
classical Alternating Bit protocol, described by the
lecturer in realistic detail is then used to illustrate
specification, analysis and "validation" tech-
niques. The speaker included a description of the
protocol. The Alternating Bit protocol was initially
described in terms of a dozen simple, concurrent,
interacting processes. The lecturer showed how
coordinated behavior can be computed. Methods
to analyze the protocol were discussed. The speaker
reported that by way of comparison, this specifica-
tion and analysis of the Alternating Bit protocol
can be related to others which have appeared in
literature.
A Specification and Analysis Language
S. Aggarwal, R.P. Kurshan and D. Sharma (Bell
Laboratories, N.J.) told the conference that the
147
selection/resolution model for concurrent
processes can be used in theory for design, specifi-
cation, analysis and implementation of complex
concurrent systems, assuming the availability of
supporting software. Such software must faithfully
represent the model and yet have sufficiently effi-
cient storage structures. To be of practical use, the
lecturer said, it also must have a user interface
with mechanisms for error control, naming and
system development of hierarchical structures and
the ability to compare different versions of compo-
nents. The speaker described the ongoing effort to
design such a software system. It will be a general
coordination analyzer and specifier (thus named
COSPAN) not limited to protocols.
Modelling Elapsed Time
S. Aggarwal and R.P. Kurshan (Bell Laborato-
ries, N.J.) told the conference that in the analysis
of communication protocols, it is often useful to
incorporate timing information that specifies the
elapsed time associated with sequences of opera-
tions. The lecturer gave the example that in order
to determine proper setting of a timer, one needs
information on the expected elapsed time between
message transmission and acknowledgement. The
speaker went on to describe how timing informa-
tion may be modelled, using the formal selection/
resolution model for concurrent processes. The
classical alternating bit protocol was used by the
speaker to illustrate the concepts.
Communicating Machines by Step Wise-Refinement
M.G. Gouda (University of Texas, Austin) con-
sidered the problem of constructing two finite-state
machines that communicate by exchanging mes-
sages via two, one-directional, unbounded, FIFO
channels. The two machines, the lecturer said,
should be constructed such that their communica-
tion is guaranteed to progress indefinitely. A
methodology to solve this by succession of refine-
ment steps was discussed. At each step more nodes
and edges are added to the two machines con-
structued so far; this continues until the required
two machines are realized. The speaker illustrated
the usefulness of this methodology by using it to
construct two communicating machines which
model the call establishment/clear protocol in
X.25.
148 Conference Reports
Section 2. Specification and Formal Models
The Power of Formal Models
R. Gustavsson and B. Pehrson (Uppsala Institute
of Technology, Sweden) compared two formal
techniques for modeling of concurrent systems.
They were "Communicating State Machines" and
"Calculus Communicating Systems" (CCS). A
variant of the Alternating Bit protocol was used as
an illustrating example. Implementation specifica-
tions are designed from an informal protocol
specification. The behavior of the composed enti-
ties is given in each formula and transformed
within each theory. The lecturer went on to say,
that apart from liveness, the implementation
specifications are observationally equivalent to the
service specification. The speaker showed in the
CCS-based example, how interval temporal logic
can be used to achieve proofs of total correctness.
Both techniques support incremental design which
is desirable in an interactive design system, accord-
ing to the speaker.
Abstraction by Structural Reduction
B. Pehrson (Uppsala Institute of Technology,
Sweden) presented a technique to reduce the func-
tional descriptions of a set of connected compo-
nents into a less complex functional description of
the composed system. The speaker demonstrated
this technique by verifying the data link service
provided by the Alternating Bit protocol. The pro-
tocol specification is reduced into the specification
of a queue. The basic idea is to abstract away all
events which do not affect the behavior of the
composed system according to an equivalent crite-
rion. This technique provides a powerful tool for
mechanizing formal synthesis and verification in a
hierarchical manner, Pehrson said. It has so far
been used together with abstract machine descrip-
tions with a finite number. However, it is a general
method, the speaker told the conference, which
could be used with other specification methods.
The method is implemented in the design system
Caddie and has been used to verify some simple
communication protocols.
Structured Finite State Automata
S. Budkowski and E. Najm (Agence de l'Infor-
matique, Paris-la-D6fense, France) presented and
formalized a new modelling technique (Structured
Finite State Automata-SFSA) which permits finite
state automata to be structured so that operations
such as direct coupling and projections may be
easily described and accomplished. The lecturer
then briefly illustrated and commented on how the
techniques may be applied to describe and validate
distributed communication systems. The speaker
also gave a simple example of techniques applied
to validate the cooperation of Session/Transport
adjacent entities in a local system.
Constructive and Executable Specification
L. Logrippo (University of Ottawa, Canada),
discussed some of the problems connected with the
formal specification of protocol services and pro-
posed some positive solutions. The lecturer intro-
duced concepts of "instructive" and "executable"
specifications presented a model for the construc-
tive specification of protocol services that is based
on the combined use of finite-state transducers
and abstract data types. The speaker also pre-
sented a technique for executable service specifica-
tions that uses a combination of abstract data
types and finite-state-automata concepts. This
technique, the speaker went on to say, enables the
definition of the transport service in a manner that
is precise, terse and abstract. This concept seems
to hold great promise for the definition of higher
level protocols and services that may involve com-
plex data manipulation functions. Similar tech-
niques, the speaker said in conclusion, have been
shown elsewhere to be eminently suitable for the
purpose of formal verification.
A Behavioral Description Language
G. Karjoth (University of Stuttgart, Fed. Rep.
Germany) told the conference that in the behav-
ioral description language applied is a process
algebra to the specification of protocols in distrib-
uted systems. Individual system components are
described by their interactions which are observa-
ble in the outside world and represent multi-way
synchronized communication over explicit interac-
tion points. The semantics of the language are
defined by temporal logic axioms, using Wolper's
relativization procedure. The speaker said that they
provide a mathematical framework for the analysis
of protocols and for developing logical systems for
proving their properties.
 Conference Reports
In conclusion, the speaker said that it is hoped
that the first link has been made between abstract
requirement specifications given in pure temporal
logic and more readable "normal form" specifica-
tions given in algebraic expressions.
Session 3. Theory and Applications of Petri Nets
Tools and Studies for Formal Techniques
M. Anttila, H. Eriksson, J. Ikonen, R. Kujansuu,
L. Ojala and H. Tuominen (Helsinki University of
Technology, Finland) discussed some experiences
of using the place/transition-net analyzer. The
lecturer described to the conference the work of
developing tools for a Petri Net laboratory. In the
temporal logic domain an approach of using tem-
poral logic to describe Petri nets was shown. In the
examples that the speaker showed, the formulas
describing CE-systems are quite long and com-
plicated to carry out manually. One solution, in
the speaker's opinion, would be to mechanize some
decision procedures. There are many open ques-
tions in this area. The speaker said it might be
more beneficial to use branching time structures to
model nondeterminism in CE-systems. Another
interesting topic would, the lecturer concluded
with, be to describe high-level nets using quanti-
fied temporal logic.
Timed Petri Nets
Timed Petri Nets are ordinary Petri Nets with
additional elements for modelling time. B. Walter
(University of Stuttgart, Fed. Rep. of Germany)
introduced several types of timed Petri Nets for
modelling network protocols that make extensive
use of timers as well as the time behavior of the
physical system. Three types of net were con-
sidered in the presentation: Condition/Event Nets,
Place/Transition Nets and Predicate/Transition
Nets. It was shown how to analyze timed Petri
Nets and how to check the validity of the modeled
timers. In particular, the speaker showed how to
model message delayers and timers.
Time Petri Nets
M. Menasche and B. Berthomieu (National
Center for Scientific Research, France) spoke about
149
modelling and proving correct concurrent systems
in which time appears as a parameter (such as
communication protocols). Merlin's time Petri Nets
were used for modelling these systems and a re-
cently developed enumerative method was em-
ployed for analyzing their behavior. This method
was applied to the specification and verification of
a data transfer protocol and a bus allocation pro-
tocol.
Alternative and complementary methods for
analyzing Time Petri Nets are being investigated,
the speaker told the conference. These include
reduction rules for preserving some properties and
structural methods making use of the structure of
the net for deducing properties of its behavior.
Also being investigated is extending the field of
application of the method towards performance
analysis, the lecturer concluded.
The 1SO Transport Service
J. Billington (Telecom Australia Research
Laboratories, Australia) presented a formal speci-
fication of the ISO-Transport System Definition.
This specification applies to a single instance of a
connection. Six phases of the connection are
specified by simple separate numerical Petri Nets
which may be easily combined to obtain the total
specification. The invocation of a service primitive,
the speaker went on to say, has been associated
with the firing of a transition using a label. The
execution of NPN then describes the allowable
sequence of Transport Service primitives and the
relationship between these at both ends of the
connection.
The speaker concluded with the claim that
NPNs are a powerful graphic technique for the
specification of ISO services. The merits of NPNs
as a formal description technique are currently
being debated within CCITT and ISO, reported
Billington.
Session 4. Validation and Verification
VA DILOC
O. Rafiq and J.P. Ansart (Agence de l'Informa-
tique, France) presented a methodology for de-
scription and implementation of OSI-oriented
communication protocols. One important step, the
150 Conference Reports
speaker said, is the translation of the informal
description into a description using extended finite
state automaton using predicates. This automaton
describing the behavior of an entity for one con-
nection is first checked for correctness (con-
sistency, state reachability, etc.) before it is used
for a description based on programming language
and for protocol validation.
After some experiences of VADILOC/BS with
protocols using simple messages, an extension has
been made, introducing new functions. This exten-
sion, called VADILOC/ES (extended system), is
more suitable for high level protocols for manipu-
lation variables. Both systems, the speaker con-
cluded with, are written in PASCAL and run on
the CII-HB Multics system at I N R I A
(Rocquencourt, France).
Link Initialization Procedure
A.E. Baratz and A. Segall (IBM Thomas J.
Watson Research Center, New York) told the con-
ference that it is known that HDLC and other bit
DLC (Data Link Control) procedures ensure data
transmission reliability on noisy links provided
that all transmission errors are detected and the
link processes are synchronized at initialization.
The most commonly used DLC procedures are the
bit-oriented DLC procedures such as HDLC,
SDLC, ADCCP or Alternating Bit. In this pre-
sentation, the speaker showed that the HDLC
initialization procedure does not ensure synchroni-
zation and thus allows inadvertent loss of data.
The speaker proposed a new link initialization
procedure and proved that it does ensure synchro-
nization.
Automated Protocol Verification
H. Eckert and R. Prinoth (Gesellschaft fi~r
Mathematik und Datenverarbeitung, Fed. Rep. of
Germany) first presented a short introduction of a
specification tool for communication protocols, in
particular for those protocols having a potentially
unbounded set of reachable states. The mathe-
matical foundation of the specification method is
such that it is possible to compare different speci-
fications of the same protocol by means of homo-
morphisms.
The speaker also presented a verification
method. This combines the developed specification
tool and the structured principles of the ISO refer-
ence model. The main feature of the method is
that it makes possible to prove that a protocol
provides a service and uses an underlying service
correctly, according to the lecturer. A complete
system for the automated verification of protocols
has been implemented. The lecturer provided the
conference with examples that illustrate both the
specification and verification method.
Experience With Automated Verification Tech-
niques
C.A. Sunshine (University of Southern Cali-
fornia, Marina del Rey) reported to the conference
that at his institute four automated verification
systems were applied to a common set of com-
munication protocols to assess their capabilities.
The systems and their key features were Affirm,
Gypsy, Concurrent State Delta and Formal Devel-
opment Methodology. Each system, the lecturer
told the conference, showed different strengths in
specifying protocols and verifying their correct
behavior. The presenter's experience showed that
important features of real protocols can be han-
dled by current automated systems, but a great
deal of effort and ingenuity is required and further
development efforts are needed before real proto-
cols can be fully and routinely verified.
Verification via Executable Logic Specifications
D.P. Sidhu (SDC, Pennsylvania, USA) dis-
cussed the uses of logic programming techniques
in the specification and verification of communi-
cation protocols. The protocol specifications dis-
cussed are formal and directly executable. The
advantages of executable specifications, Sidhu as-
serted, are (1) the specification is itself a prototype
of the specified system, (2) incremental develop-
ment of specifications is possible, and (3) behavior
exhibited by the specification when executed can
be used to check conformity of specification with
requirements. The speaker discussed Horn clause
logic, which has a procedural interpretation, and
the predicate logic programming language, PRO-
LOG, to specify and verify the functional correct-
ness of protocols. PROLOG possesses a powerful
pattern-matching feature which is based on unifi-
cation, Sidhu concluded.
 Conference Reports
Session 5. Protocol Performance
Industrial Ethernet Local Networks
G. Florin (CERCI, France), S. Natkin, A. Woog
and J. Attal (CNAM, France) told the conference
that local networks have to be built using low cost
interfaces. Integrated circuits for CSMA-CD pro-
tocol are not available and would be very useful
for such applications. The major problem which
arises with CSMA-CD is the non-deterministic
bound of the response time. Whether CSMA-CD
techniques are adequate for control process appli-
cations can be validated only by probabilistic tech-
niques. The speaker presented general methods to
validate CSMA-CD industrial networks response
time characteristics. These methods were applied
to a highly constrained application (the control of
an energy power plant). The main topics in this
lecture were: (a) Characteristics of control process
applications, (b) The probabilistic assumptions to
be validated and the statistical tests to check such
assumptions, (c) Simulation of the transient behav-
ior of Ethernet.
Lastly, the lecturer presented the main
numerical results. They allow the definition of
conditions to be fulfilled for accepting CSMA-CD
control process networks.
Automated Performance Prediction
H. Rudin (IBM Zurich Research Laboratory,
Switzerland) described some first steps in using a
formal definition as the basis for the automated
prediction of protocol performance. Rudin con-
sidered a simple example, and presented a tech-
nique for predicting protocol performance directly
and automatically from the kind of formal ma-
chine-readable definition now often being used for
concise protocol specification. As time goes on
techniques for predicting protocol performance di-
rect from a protocol's formal specification will be
increasingly in demand, according to Rudin.
Session 6. Protocol Design and Implementation
Design of a Couple Service-Protocol
G. Juanole and B. Algayres (Laboratoire d'Au-
tomatique, France) elaborated on the design of
151
Transport Service-Transport Protocol couples. The
combination of Service and Protocol is em-
phasized because the design of a protocol is closely
related to the service it must provide. A three-level
model which provides insight on the design speci-
fication and a method to specify well designed
couples were presented. The speaker told the con-
ference that an important result of this is the
specification of the conditions under which proto-
cols (either with a two way or with a three way
handshake scheme) have to be used. The lecturer
also presented a Petri Net model of a couple which
uses a three way handshake scheme. The speaker
went on to say, that this model enables to view the
relations between the service and the protocol and
to verify the logic of their interactions.
Transport Layer Protocol for Special Purpose LA N
C. Boccalini (I&O, Genova, Italy), W. Ansaldi,
M. Olobardi and A.M. Traverso (Ansaldo S.p.A.,
Genova, Italy) spoke about the system named
MODIAC which is a local area network whose
stations can be configured as mono- or multi-pro-
cessor nodes based on the Z-8000 microprocessor.
The environment in which the automation system
works, the lecturer said, is usually characterized by
strong, electromagnetic noise affecting message
correctness. The speaker went on to say that the
message transmission delay is often critical for the
controlled plant safety. This led to the design of a
communication subsystem where transmission in-
terfaces are connected to a serial bus with a token
passing policy. The four lower protocol layers
reside on the interface boards and the higher ones
on the CPU boards. The lecturer described the
choices made for the transport layer design and
the considerations which led to the decision mak-
ing.
Implementation of Assembl) Language
F.M. Restorick (Plessey Office Systems, Not-
tingham, UK) described a method used to imple-
ment a transport layer protocol in the 8086 assem-
bly language. The protocol implementation works
under a multi-tasking executive. This method con-
sists of a funnel stepper, a state table and a
collection of action modules. This approach, as
well as reducing the processing time necessary to
interpret the protocol, allows easy implementation
152 Conference Reports
of a trace facility to be included in the system at
debug time, and allows coding and programming
of the action modules to be pooled between many
programmers at the design stage.
Restorick described in detail the method used
to realize the state tables in 8086 and the function
funnel stepper. He also explained to the con-
ference the methods used to test the systems.
Session 7. Integrated Systems
Development of Services with CIL
H. Krumm and O. Drobnik (Institut fiar Infor-
matik III, Karlsruhe, F.R. Germany) presented an
introduction to the language CIL (Communication
Service Implementation Language) and also pre-
sented the theory and its application to specifica-
tion and verification purposes. The CIL approach
for the development of communication services is
based on the CIL language and a CIL-compatible
theory of the program execution. The program-
ming language provides for structuring concepts to
support the design and the implementation of
services. The theory contains a logical language to
express specifications and axioms of program
semantics, an event oriented-model of program
execution, and a first-order predicate calculus to
perform verification by means of deduction in the
calculus.
Secure Communications Systems
R.E. Strom and S. Yemini (IBM T.J. Watson
Research Center, New York) discussed those fea-
tures in the NIL language which make valuable
during the design, implementation, validation and
testing phases of communication systems. These
features were: (a) a process model in which shared
and global data does not exist, thereby supporting
concurrency and modularity in a single construct;
(b) queued communication which results in a high
degree of uncoupling between modules and per-
mits truly modular verification of NIL systems; (c)
run-time operations for loading processes and
binding communications channels; (d) full specifi-
cation of inter-module interfaces and complete
compile-time checking of the consistency between
code and interfaces; (e) typestate checking, a sub-
set of program verification performed automati-
cally by an NIL compiler, which limits the extent
to which unvalidated programs can corrupt vali-
dated ones through dangerous side effects.
The lecturer also discussed experience in using
NIL as both a design and an implementation
language for SNA.
The LC / 1 Language
J.M. Ayache and J.P. Courtiat (Laboratoire
d'Automatique, France) described the basic fea-
tures of the communication language LC/1. It
supports a global approach including the protocol
specification, validation and implementation. It is
essentially based on the use of the ISO reference
model and Petri Nets. The lecturer told the con-
ference that the overriding concern during its de-
sign was to validate in the most complete way the
specifications by means of existing tools, like
OGIVE/OVIDE and to minimize any designer's
intervention between specification and implemen-
tation stages. The language compiler is being de-
veloped, while the simulator kernel has already
been tested, and (the speaker concluded with) an
implementation of the RHIN transport protocol is
also being developed along the same line.
CUPID
Y. Yemini and N. Nounou (Columbia Univer-
sity, New York) described research conducted to-
wards Columbia's United Protocol Information
and Design (CUPID) environment. CUPID re-
search aims at the integration and automation of
protocol design and implementation tools. CUPID
uses algebraic representation of protocols based in
part, upon a variant of Milner's calculus of com-
municating systems (CCS). Communication behav-
iors are represented in terms of expressions of a
universal algebra. A key notion to the automation
of protocol development functions is that of a
valuation over the algebra of communication be-
haviors. A valuation maps communication behav-
iors to expressions in other algebras (e.g., an alge-
bra of delay distribution used for performance
analysis). This allows, explained the lecturer, one
to proceed and compute attributes of communica-
tion behaviors over the respective algebras using a
formal valuation process.
A brief introduction to CCS in the context of
modelling protocol behaviors was provided by the
 Conference Reports
speaker. This was followed by a summary of how
the algebraic valuation mechanism may be used to
support the different functions of the protocol
design environment.
PA ND ORA
G.J. Holzmann and R.A. Beukers (Delft Univer-
sity of Technology, The Netherlands) told the
conference that the protocol design and analysis
system named "PANDORA", a joint developing
project with the Netherlands PTT and the Delft
University of Technology, provides its users with a
controlled environment for protocol synthesis and
formal analysis. PANDORA also offers both
software and hardware tools for protocol assess-
ment. PANDORA can assist the user in documen-
tation of protocol designs by autonomously ex-
tracting SDL-diagrams, and has a set of tools for
the generation of executable protocol implementa-
tions from abstract specifications.
Automated Protocol Development System
P.T. Blumer and D.P. Sidhu (SDC, Penn-
sylvania, USA) gave an overview to the conference
of a formal specification technique and implemen-
tation method for computer communication proto-
cols. The technique that the lecturer described was
developed at Bolt Beranek and Newman. A collec-
tion of useful software tools was also discussed.
The speaker focussed on a tool called the finite
state machine (FSM) analyzer, which can be used
with this technique to verify certain protocol prop-
erties. The speaker described the application of the
analyzer to an authentication protocol and gave
some interesting results.
From Formal Description to A utomated Implemen-
tation
J.P. Ansart, V. Chari and D. Simon (Agence de
l'Informatique, France) gave a brief overview of
the basic concepts of the PDIL language (Protocol
Description and Implementation Language)
through an example of a description. The basic
ideas underlying the PDIL translator were out-
lined by the speaker. This translator is now availa-
ble, the conference was told, on a Multics system.
The lecturer also explained how to pass from a
PDIL formal description to implementation by
dealing with all the choices.
153
The lecturer went on to explain that the formal
description in PDIL should (a) be able to describe
the protocol clearly and completely without en-
forcing over-specification, (b) serve for verifying
the correctness of the protocol, and (c) be able to
derive an implementation in as much possible
automated way.
Session 7. Protocol Testing
Layer-Independent Architecture
S. Palazzo, P. Fogliata and G. LeMoli (CREI,
Milano, Italy) introduced to the conference an
architecture for a system performing the testing of
a generic OSI layer. It was shown that the system
proposed can be used to test the protocol imple-
mentations in terms of both protocol testing and
service testing, either in debugging or in certifica-
tion phase. The structure of the system, the speaker
told the conference, is designed in such a way as to
point out what is independent from the layer in
which the protocol being tested lies. Finally the
functional specification of the modules composing
the system was described.
Testing and Diagnosis Aids"
A. Giebler (Institut fi~r Datenfernverarbeitung,
Fed. Rep. of Germany) gave an overview of a
special protocol tester which has been developed
by the GMD (Gesellschaft fgr Mathematik und
Datenverarbeitung) within the TESDI project
(TESting and Diagnosis aid for higher protocols).
The lecturer discussed the following subjects: (a)
the concept of the protocol tester; (b) the applied
testing method; (c) the different testing functions;
(d) the used implementation concepts; and (e) an
example of a telex (transport layer) test.
User Guided Test Sequence Generation
H. Ural and R.L. Probert (University of Ottawa,
Canada) presented a computer-assisted approach
for generating test sequences from specifications
of communications protocols and services. The
approach is based on using attributed context free
grammars and is directly applicable in a logic
programming environment. The speaker said that
the approach involves constructing test sequence
154 Conference Reports
specifications in attributed context free grammars,
implementing these specifications in logic pro-
gramming as generators, and executing the genera-
tors in a controlled fashion to generate test se-
quences.
The lecturer illustrated the approach on trans-
port service and protocol specifications. Benefits
include improvements in test design, specification,
documentation and management.
Requirements for a Test Specification Language
R.L. Probert and H: Ural (University of Ottawa,
Canada) examined the application of the notion of
a test specification language to various issues in
the testing of protocol implementations. Sources
of language design constraints, such as limitations
imposed by the test session architecture, were dis-
cussed. Also the speaker discussed the effects of
relationships among language features, degree of
distribution of test control, the design of proper-
ties of test support tools and test initialization and
reporting requirements. The speaker concluded
with a progress report on a prototype test specifi-
cation language for specification-based testing of
protocol implementations.
Qualitative Protocols Validation
J.F. Billiard (CAP Sogeti Logiciel, France) pre-
sented four basic rules which he has found useful
in obtaining significant validation results. Due to
the vast number of tests that can be performed,
the speaker proposed a tentative classification
according to the function. Tests can be divided
into two classes: qualitative tests and load accep-
tance tests. Qualitative tests are designed to con-
trol the "communication machine" - node, net-
work, host or gateway - observes its protocol and
that its supplied facilities such as routing, billing,
statistics, etc. are correct. The speaker told the
conference that load acceptance tests are designed
to control the possibilities of the machine in terms
of data packets per second or maximum number
of simultaneous communications.
Testing of Protocols in SNA Products
R.M.S. Cork (IBM, England) focused his talk
on the evolving specification of IBM's System
Network Architecture (SNA), some of the tools
which have been developed to exploit the advances
in specification and the impact these tools have
had on the testing and implementation of SNA
products. At the present time, the speaker told the
conference, a Format And Protocol Language
(FAPL) is used for SNA specification. This lan-
guage is used not only in IBM's external publica-
tions which describe the architecture, but also in
the production of a machine-readable, executable
description of SNA. After consideration of a theo-
retical approach to product protocol testing in-
volving this executable definition, the speaker went
on to describe some of the techniques which have
been applied in the real world of IBM products.
The lecturer concluded with a look to the future
both within IBM and in non-SNA-related projects.
The Routing Certification System
G.A. Harvey (Digital Equipment Corporation,
Massachusetts, USA) described the design and
construction of Routing Certification System of
(RCS) for testing conformance of a node to selected
aspects of the Routing Layer protocol, as specified
by the Digital Network Architecture (DNA) of
Digital Equipment Corporation.
Protocol Product Testing
G.W. Cowin, R.W.S. Hale and D. Rayner (Na-
tional Physical Laboratory, UK) introduced the
concept of an Assessment Center for Testing Open
Systems Interconnection (OSI) protocol products.
Physical architectures for assessment were com-
pared by the lecturer, and the general logical ar-
chitecture was discussed. The speaker also com-
pared different approaches for the test design of
'Test Responder' and 'Encoder/Decoder' mod-
ules, drawing on practical experience. A compari-
son was given of the two test definition methods in
use of NPL. The speaker concluded that some
useful lessons have been learned from the earlier
experience of using this philosophy and architec-
ture. The lecturer felt that much more experience
can be gained from NCC using the testing tools in
the pilot UK Assessment Center.
Objective Understanding of Conformance
D. Rayner (National Physical Laboratory, UK)
told the conference that currently all conformance
 Conference Reports
testing of protocol implementations is subjective.
Each organization involved, the speaker went on
to say, is likely to have its own interpretation of
what constitutes conformance to a particular
standard. The problem arises from poorly defined
standards. The definition of the protocol itself is
often confused with additional procurement re-
quirements for implementation of the protocol.
The elimination of this and other sources of am-
biguity was discussed by the speaker. A checklist
was provided at the conference which, the speaker
believed, could assist progress towards an objec-
tive understanding of conformance and therefore
define objective conformance tests.
Testing Implementations of OSI Protocols
R.L. Linn and W.H. McCoy (Institute for Com-
puter Sciences and Technology, Washington D.C.)
explored problems associated with protocol test
design, semantics and completeness. A linguistics
approach utilizing a generative grammar aug-
mented with probability distributions associated
with the production rules and random selection
was used to produce test sequences for the
NBS/ICST implementation of ISO Class 4 Trans-
port protocol. The lecturer also presented ad-
vantages and limitations of the methodology.
155
Testing Tools for OSI Protocol Implementation
R.J. Linn and J.S. Nightingale (Institute for
Computer Sciences and Technology, Washington
D.C.) described specific tools within the test ar-
chitecture which has been developed and refined
using a prototype implementation of the ISCT
Class 4 Transport Protocol. The language used for
executing the tests, the speaker said, is based on
representations of the service primitives of the
layer under test. All possible combinations of
service primitives can potentially be specified using
this language. Errors are introduced into the pro-
tocol under test in a controlled manner by means
of an Exception Generator which resides between
layers three and four at the Test Center. The
language which drives this tool provides the mech-
anism to edit protocol data units, concluded the
lecturer.
The proceedings of this conference have been
edited by H. Rudin and C.H. West and published by
North-Holland under the title Protocol Specification,
Testing, and Verification, II1. xiii + 531 pages. ISBN:
0-444-86769-4. Price: US$65.00 (USA/Canada),
Df1.170.00 (rest of the world).