Formalization and Correctness of the PALS Architectural Pattern for Distributed Real-Time Systems

Many Distributed Real-Time Systems (DRTS), such as integrated modular avionics systems and distributed control systems in motor vehicles, are made up of a collection of components communicating asynchronously among themselves and with their environment that must change their state and respond to environment inputs within hard real-time bounds. Such systems are often safety-critical and need to be certi???ed; but their certi???cation is currently very hard due to their distributed nature. The Physically Asynchronous Logically Synchronous (PALS) architectural pattern can greatly reduce the design and veri???cation complexities of achieving virtual synchrony in a DTRS. This work presents a formal speci???cation of PALS as a formal model transformation that maps a synchronous design, together with a set of performance bounds of the underlying infrastructure, to a formal DRTS speci???cation that is semantically equivalent to the synchronous design. This semantic equivalence is proved, showing that the formal veri???cation of temporal logic properties of the DRTS can be reduced to their veri???cation on the much simpler synchronous design. An avionics system case study is used to illustrate the usefulness of PALS for formal verification purposes.unpublishednot peer reviewe

A Formal Framework for Mobile Ad hoc Networks in Real-Time Maude

Mobile ad hoc networks (MANETs) are increasingly popular and deployed in a wide range of environments. However, it is challenging to formally analyze a MANET, both because there are few reasonably accurate formal models of mobility, and because the large state space caused by the movements of the nodes renders straight-forward model checking hard. In particular, the combination of wireless communication and node movement is subtle and does not seem to have been adequately addressed in previous formal methods work. This paper presents a formal executable and parameterized modeling framework for MANETs in Real-Time Maude that integrates several mobility models and wireless communication. We illustrate the use of our modeling framework with the Ad hoc On-Demand Distance Vector (AODV) routing protocol, which allows us to analyze this protocol under different mobility models.Ope

Formal Modeling and Analysis of Leader Election in MANETs

The modeling and analysis of mobile ad hoc networks MANETs pose non-trivial challenges to formal methods. Time, geometry, communication delays and failures, mobility, and uni- and bidirectionality can interact in unforeseen ways that are hard to model and analyze by automatic formal methods. In this work we use rewriting logic and Real-Time Maude to address this challenge. We propose a composable formal framework for MANET protocols and their mobility models that can take into account such complex interactions. We illustrate our framework by analyzing a well-studied leader election protocol for MANETs in the presence of both mobility and uni- and bidirectional links.NSF Grant CNS 13-19109AFOSR Grant FA8750-11-2-0084Ope

A New Distributed Transaction Protocol and Its Formal Analysis in Maude

Designers of distributed database systems face the choice between performance and consistency guarantees: with stronger consistency guarantees comes higher transactional latency and lower throughput. Certain collaborative editing application scenarios only require read atomicity (either all or none of a transaction's updates are visible to another transaction) and no lost updates (all updates are incrementally performed). Many existing distributed database systems meet these requirements. However, they all provide additional stronger consistency guarantees (such as causal consistency), and therefore incur lower performance. In this paper we define a new distributed transaction protocol, ROLA, that targets application scenarios where only read atomicity and no lost updates are needed. We formally model ROLA in Maude. We then perform model checking to analyze both the correctness and the performance of ROLA. For correctness, we use standard model checking to analyze ROLA's satisfaction of read atomicity and prevention of lost updates. Our results show that ROLA satisfies the correctness properties with a bounded number of parameters. To analyze performance we: (a) perform statistical model checking to analyze key performance properties such as throughput, averange latency, and commit rate; and (b) compare these performance results with those obtained by also modeling and analyzing in Maude the same performance properties for Walter, a well-known high-performance protocol meeting the requirements of read atomicity and preservation of lost updates. Our statistical model checking results show that ROLA outperforms Walter.Ope

Formal Modeling and Analysis of RAMP Transaction Systems in Maude

To cope with ever-increasing data sets, distributed data stores partition their data across servers. However, real-world systems usually do not provide useful transactional semantics for operations accessing multiple partitions due to the delays involved in achieving multi-partition consistency. Read Atomic Multi-Partition (RAMP) transactions have recently been proposed as efficient light-weight multi-partition transactions that guarantee read atomicity: either all updates or no updates of a transaction are visible to other transactions. In this paper we formalize RAMP transactions in rewriting logic and perform model checking verification of key properties using the Maude tool. In particular, we develop detailed formal models---and formally analyze---a number of extensions and optimizations of RAMP that are only briefly mentioned by the RAMP developers.AFOSR/AFRL FA8750-11-2-0084NSF CCF 0964471NSF CNS 1319527NSF CNS 1409416Ope

Design, Formal Modeling, and Validation of Cloud Storage Systems using Maude

To deal with large amounts of data while offering high availability, throughput and low latency, cloud computing systems rely on distributed, partitioned, and replicated data stores. Such cloud storage systems are complex software artifacts that are very hard to design and analyze. We argue that formal specification and model checking analysis should significantly improve their design and validation. In particular, we propose rewriting logic and its accompanying Maude tools as a suitable framework for formally specifying and analyzing both the correctness and the performance of cloud storage systems. This chapter largely focuses on how we have used rewriting logic to model and analyze industrial cloud storage systems such as Google's Megastore, Apache Cassandra, Apache ZooKeeper, and RAMP. We also touch on the use of formal methods at Amazon Web Services.This work is based on research sponsored by the Air Force Research Laboratory and the Air Force Office of Scientific Research, under agreement number FA8750-11-2-0084. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation thereon. This work is also based on research supported by the National Science Foundation under Grant Nos. NSF CNS 1409416 and NSF CNS 1319527.Ope

Initiation of T cell signaling by CD45 segregation at 'close contacts'.

It has been proposed that the local segregation of kinases and the tyrosine phosphatase CD45 underpins T cell antigen receptor (TCR) triggering, but how such segregation occurs and whether it can initiate signaling is unclear. Using structural and biophysical analysis, we show that the extracellular region of CD45 is rigid and extends beyond the distance spanned by TCR-ligand complexes, implying that sites of TCR-ligand engagement would sterically exclude CD45. We also show that the formation of 'close contacts', new structures characterized by spontaneous CD45 and kinase segregation at the submicron-scale, initiates signaling even when TCR ligands are absent. Our work reveals the structural basis for, and the potent signaling effects of, local CD45 and kinase segregation. TCR ligands have the potential to heighten signaling simply by holding receptors in close contacts.The authors thank R.A. Cornall, M.L. Dustin and P.A. van der Merwe for comments on the manuscript and S. Ikemizu for useful discussions about the structure. We also thank W. Lu and T. Walter for technical support with protein expression and crystallization, the staff at Diamond Light Source beamlines I02, I03 and I04-1 (proposal mx10627) and European Synchrotron Radiation Facility beamlines ID23EH1 and ID23EH2 for assistance at the synchrotrons, G. Sutton for assistance with MALS experiments, and M. Fritzsche for advice on the calcium analysis. This work was funded by the Wellcome Trust (098274/Z/12/Z to S.J.D.; 090532/Z/09/Z to R.J.C.G.; 090708/Z/09/Z to D.K.), the UK Medical Research Council (G0700232 to A.R.A.), the Royal Society (UF120277 to S.F.L.) and Cancer Research UK (C20724/A14414 to C.S.; C375/A10976 to E.Y.J.). The Oxford Division of Structural Biology is part of the Wellcome Trust Centre for Human Genetics, Wellcome Trust Core Award Grant Number 090532/Z/09/Z. We acknowledge financial support from Instruct, an ESFRI Landmark Project. The OPIC electron microscopy facility was funded by a Wellcome Trust JIF award (060208/Z/00/Z).This is the author accepted manuscript. The final version is available from Nature Publishing Group via https://doi.org/10.1038/ni.339

Specification and Analysis of the AER/NCA Active Network Protocol Suite in Real-Time Maude

This paper describes the application of the Real-Time Maude tool and the Maude formal methodology to the specification and analysis of the AER/NCA suite of active network multicast protocol components. Because of the time-sensitive and resource-sensitive behavior, the presence of probabilistic algorithms, and the composability of its components, AER/NCA poses challenging new problems for its formal specification and analysis. Real-Time Maude is a natural extension of the Maude rewriting logic language and tool for the specification and analysis of real-time object-based distributed systems. It supports a wide spectrum of formal methods, including: executable specification; symbolic simulation; breadth-first search for failures of safety properties in infinite-state systems; and linear temporal logic model checking of time-bounded temporal logic formulas. These methods complement those offered by network simulators on the one hand, and timed-automaton-based tools and general-purpose theorem provers on the other. Our experience shows that Real-Time Maude is well-suited to meet the AER/NCA modeling challenges, and that its methods have proved effective in uncovering subtle and important errors in the informal use case specification

Synchronous AADL and its Formal Analysis in Real-Time Maude

Distributed Real-Time Systems (DRTS), such as avionics systems and distributed control systems in motor vehicles, are very hard to design because of asynchronous communication, network delays, and clock skews. Furthermore, their model checking typically becomes unfeasible due to the large state spaces caused by the interleavings. For many DRTSs, we can use the PALS methodology to reduce the problem of designing and verifying asynchronous DRTSs to the much simpler task of designing and verifying their synchronous versions. AADL is an industrial modeling standard for avionics and automotive systems. We define in this paper the Synchronous AADL language for modeling synchronous real-time systems in AADL, and provide a formal semantics for Synchronous AADL in Real-Time Maude. We have integrated into the OSATE modeling environment for AADL a plug-in which allows us to model check Synchronous AADL models in Real-Time Maude within OSATE. We exemplify such verification on an avionics system, whose Synchronous AADL design can be model checked in less than 10 seconds, but whose asynchronous design cannot be feasibly model checked.Boeing/C8088CNS 08-34709CCF 09-05584The Research Council of Norwayunpublishednot peer reviewe

PALS: Physically Asynchronous Logically Synchronous Systems

In networked cyber physical systems real time global computations, e.g., the supervisory control of a ight control system, require consistent views, consistent actions and synchronized state transitions across net- work nodes in real time. This paper presents a real time logical synchrony protocol, Physically Asynchronous Logically Synchronous (PALS), to support real time global computation. Under the PALS protocol, engi- neers design and verify applications as if all the dis- tributed state machines were driven by a single global clock. The PALS protocol is optimal in the sense that 1) the bound on the periods of the real time global computation, such as the supervisory controller, is the shortest possible, and 2) the message overhead in achieving logical synchrony is minimal.published or submitted for publicatio