Using BIP for modeling and verification of networked systems - A case study on TinyOS-based networks

We apply a model construction methodology to TinyOS-based networks, using the Behavior-Interaction-Priority (BIP) component framework. The methodology consists in building the model of a node as the composition of a model extracted from a nesC program describing the application, and models of TinyOS components. Models for networks are obtained by composition of models for nodes by using BIP connectors implementing different types of radio channels. This opens the way for enhanced analysis and early error detection by using verification techniques. © 2007 IEEE

Building distributed sensor network applications using BIP

International audienceThe exponential increase in the demands for the deployment of large-scale sensor networks, makes the efficient development of functional applications necessary. Nevertheless, the existence of scarce resources and the derived application complexity, impose significant constraints and requires high design expertise. Consequently, the probability of discovering design errors, once the application is implemented, is considerably high. To address these issues, there is a need for the availability of early-stage validation, performance evaluation and rapid prototyping techniques at design time. In this paper we present a novel approach for the co-design of mixed software/hardware applications for distributed sensor network systems. This approach uses BIP, a formal framework facilitating modeling, analysis and implementation of real-time embedded, heterogeneous systems. Our approach is illustrated through the modeling and deployment of a Wireless Multimedia Sensor Network (WMSN) application. We emphasize on its merits, notably validation of functional and non-functional requirements through statistical model-checking and automatic code generation for sensor network platforms

Symbolic Implementation of Connectors in BIP

BIP is a component framework for constructing systems by superposing three layers of modeling: Behavior, Interaction, and Priority. Behavior is represented by labeled transition systems communicating through ports. Interactions are sets of ports. A synchronization between components is possible through the interactions specified by a set of connectors. When several interactions are possible, priorities allow to restrict the non-determinism by choosing an interaction, which is maximal according to some given strict partial order. The BIP component framework has been implemented in a language and a tool-set. The execution of a BIP program is driven by a dedicated engine, which has access to the set of connectors and priority model of the program. A key performance issue is the computation of the set of possible interactions of the BIP program from a given state. Currently, the choice of the interaction to be executed involves a costly exploration of enumerative representations for connectors. This leads to a considerable overhead in execution times. In this paper, we propose a symbolic implementation of the execution model of BIP, which drastically reduces this overhead. The symbolic implementation is based on computing boolean representation for components, connectors, and priorities with an existing BDD package

Systematic and automatic verification of sensor networks

Ph.DDOCTOR OF PHILOSOPH

Using BIP to reinforce correctness of resource-constrained IoT applications

International audienceIoT applications have either a sense-only or a sense-compute-actuate goal and they implement a capability to process and respond to multiple (external) events while performing computations. Existing IoT operating systems provide a versatile execution environment that adheres to the limitations of the interconnected resource-constrained devices. To reduce the development effort, applications are often built on top of RESTful web services, which can be shared and reused. However, the asynchronous communication between remote nodes is prone to event scheduling delays, which cannot be predicted and taken into account while programming the application. Moreover, to avoid long delays in message processing and communication due to packet collisions, the data transmission frequencies between the system's nodes have to carefully chosen. In general, even when appropriate debugging tools and simulators are available, it is still a hard challenge to guarantee the required functional and non-functional properties at the application and system levels. To this end, we focus on IoT applications for the Contiki OS and we introduce a model-based rigorous analysis approach using the BIP component framework. At the application level, we verify qualitative properties regarding service responsiveness, whereas at the system level we can validate qualitative and quantitative properties using statistical model checking. We present results for an application scenario running on a distributed system infrastructure with nodes executing the Contiki OS

Interaction Systems and 1-safe Petri Nets

Interaction systems are a formal model for component-based systems, where components are combined via connectors to form more complex systems. We compare interaction systems (IS) to the wellstudied model of 1-safe Petri nets (1SN) by giving a translation map1: 1SN → IS and a translation map2: IS → 1SN, so that a 1-safe Petri net (an interaction system) and its according interaction system (1-safe Petri net) defined by the respective mapping are isomorphic up to some label relation R. So in some sense both models share the same expressiveness. Also, the encoding map1 is polynomial and can be used to reduce the problems of reachability, deadlock and liveness in 1SN to the problems of reachability, deadlock and liveness in IS, yielding PSPACE-hardness for these questions

Rigorous System Design: The BIP Approach

Rigorous system design requires the use of a single powerful component framework allowing the representation of the designed system at different levels of detail, from application software to its implementation. This is essential for ensuring the overall coherency and correctness. The paper introduces a rigorous design flow based on the BIP (Behavior, Interaction, Priority) component framework. This design flow relies on several, tool-supported, source-to-source transformations allowing to progressively and correctly transform high level application software towards efficient implementations for specific platforms

Synchronous Interface Theories and Time Triggered Scheduling

International audienceWe propose synchronous interfaces, a new interface theory for discrete-time systems. We use an application to time-triggered scheduling to drive the design choices for our formalism; in particular, additionally to deriving useful mathematical properties, we focus on providing a syntax which is adapted to natural high-level system modeling. As a result, we develop an interface model that relies on a guarded-command based language and is equipped with shared variables and explicit discrete-time clocks. We define all standard interface operations: compatibility checking, composition, refinement, and shared refinement. Apart from the synchronous interface model, the contribution of this paper is the establishment of a formal relation between interface theories and real-time scheduling, where we demonstrate a fully automatic framework for the incremental computation of time-triggered schedules

The algebra of connectors - Structuring interaction in BIP

We provide an algebraic formalization of connectors in the BIP component framework. A connector relates a set of typed ports. Types are used to describe different modes of synchronization: rendezvous and broadcast, in particular. Connectors on a set of ports P are modeled as terms of the algebra AC(P), generated from P by using a binary fusion operator and a unary typing operator. Typing associates with terms (ports or connectors) synchronization types - trigger or synchron - that determine modes of synchronization. Broadcast interactions are initiated by triggers. Rendezvous is a maximal interaction of a connector including only synchrons. The semantics of AC(P) associates with a connector the set of its interactions. It induces on connectors an equivalence relation which is not a congruence as it is not stable for fusion. We provide a number of properties of AC(P) used to symbolically simplify and handle connectors. We provide examples illustrating applications of AC(P), including a general component model encompassing synchrony, methods for incremental model decomposition, and efficient implementation by using symbolic techniques. © 2008 IEEE