From Formal Methods to Executable Code

Note: the cover page of this report shows an incorrect title. The title given on the first page of the document itself is correct.The objective of this work is the derivation of software that is verifiably correct. Our approach is to abstract system specifications and model these in a formal framework called Timed Input/Output Automata, which provides a notation for expressing distributed systems and mathematical support for reasoning about their properties. Although formal reasoning is easier at an abstract level, it is not clear how to transform these abstractions into executable code. During system implementation, when an abstract system specification is left up to human interpretation, then this opens a possibility of undesirable behaviors being introduced into the final code, thereby nullifying all formal efforts. This manuscript addresses this issue and presents a set of transformation methods for systems described as a network to timed automata into Java code for distributed platforms. We prove that the presented transformation methods preserve guarantees of the source specifications, and therefore, result in code that is correct by construction

Towards implementing group membership in dynamic networks : a performance evaluation study

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.Includes bibliographical references (p. 105-109).Support for dynamic groups is an integral part of the U.S. Department of Defense's vision of Network-Centric Operations. Group membership (GM) serves as the foundation of many group-oriented systems; its fundamental role in applications such as reliable group multicast, group key management, data replication, and distributed collaboration, makes optimization of its efficiency important. The impact of GM's performance is amplified in dynamic, failure-prone environments with intermittent connectivity and limited bandwidth, such as those that host military on the move operations. A recent theoretical result has proposed a novel GM algorithm, called Sigma, which solves the Group Membership problem within a single round of message exchange. In contrast, all other GM algorithms require more rounds in the worst case. Sigma's breakthrough design both makes and handles tradeoffs between fast agreement and possible transient disagreement, raising the question: how efficiently and accurately does Sigma perform in practice? We answer this question by implementing and studying Sigma in simulation, as well as two leading GM algorithms - Moshe and Ensemble - in a comparative performance analysis. Among the variants of Sigma that we study is Leader-Based Sigma, which we design as a more scalable alternative.(cont.) We also discuss parameters enabling Sigma's optimal practical deployment in a variety of applications and environments. Our simulations show that, consistently with theoretical results, Sigma always terminates within a single round of message exchange, faster than Moshe and Ensemble. Moreover, Sigma has less message overhead and produces virtually the same quality of views as Moshe and Ensemble, when used with a filter for limiting disagreement. These results strongly indicate that Sigma is not just a theoretical result, but indeed a result with important practical implications for Group Communication Systems: the efficiency of GM applications can be significantly improved, without compromising accuracy, by replacing current GM algorithms with Sigma.by Sophia Yuditskaya.M.Eng

Specifications and proofs for Ensemble Layers

Ensemble is a widely used group communication system that supports distributed programming by providing precise guarantees for synchronization, message ordering, and message delivery. Ensemble eases the task of distributed-application programming, but as a result, ensuring the correctness of Ensemble itself is a difficult problem. In this paper we use I/O automata for formalizing, specifying, and verifying the Ensemble implementation. We focus specifically on message total ordering, a property that is commonly used to guarantee consistency within a process group. The systematic verification of this protocol led to the discovery of an error in the implementation