an improved protocol validation technique

An Improved Protocol Validation Technique

65

J. R U B I N IBM Corporation, Research Triangle Park, NC 2 7709, USA

a n d

C.H. W E S T IBM Zurich Research Laboratory, 8803 Ruschlikon, Swit- zerland

It is shown that communication between asynchronous processes can be expressed as sequences of nondecomposable, basic interactions which in the general case involve multiple message exchanges. Consideration of the form of these interactions leads to an understanding of the limitations of protocol-validation techniques and improves their efficiency.

Keywords: Protocol Validation, Communication Systems, Interactions

J. Rubin received his B.A. in Mathe- matics from Columbia College in 1957. He worked for IBM from 1957-1960 on compilers and gene- ralized sort programs. Since rejoining them in 1961, his work has been on a large variety of projects, including statistical classification techniques, airline crew scheduling, a number of other scheduling problems involving linear and integer programming, si- mulation languages, and most recent-

ly validation of computer network protocols.

Colin H. West joined IBM in 1971 at the Zurich Research Laboratory and has worked on laboratory auto- mation, computer graphics, communications and computer networks. He is currently active in the areas of communication protocol validation and image processing. He received a B.Sc. degree in physics from Imperial College, London in 1960 and a Ph.D. in elementary particle physics in 1965, also from Imperial College.

From 1961 to 1966 he was a visiting scientist at the Euro- pean Organization for Nuclear Research (CERN) in Geneva, Switzerland, and subsequently held post-doctoral positions in the physics department and Moore School of Electrical Engi- neering at the University of Pennsylvania.

North-Holland Publishing Company Computer Networks 6 (1982) 65-73

1. Introduction

This paper discusses the nature of message exchanges between components of a communication system. The work is primarily motivated by a desire to im- prove the efficiency of an existing automated technique for communication protocol validation [1 ].

We are primarily concerned here with systems in which the transmission delay is not negligible and cannot be ignored. This is in contrast to "regular" systems discussed by Bochmann [2] which exhibit a behavior that can be modeled by systems in which there is zero delay between the initiation of an action and its execution in a remote process.

We will show for a system of two processes that sequences o f exchanged messages can be expressed in a canonical form by decomposing them into interactions that may in their simplest form contain several concurrent message exchanges. Expressing the communication between processes in this way permits a clearer understanding of the limits o f applicabil i ty of the validation technique and o f the role o f the more complex types of interactions in communication systems. We also discuss the nature of interactions in systems containing more than two processes.

2. Protocol Validation

Communication protocols are vital components of computer systems. Several recent papers concerned with protocol specification have concentrated on formal models which permit complete and unambiguous definition o f protocol properties [ 3 - 6 ] .

2.1. Global State Generation

Given a formal model of a protocol, it may be possible to validate the protocol and so prove or demonstrate its properties. One technique commonly used for validation has been referred to as global-state generation [6]. In this technique, an exhaustive analysis is made of all reachable states of a communicating system to evaluate its properties. Several authors have demonstrated successful applications of such techniques [9 -11 ].

0376-5075182/0000-0000/$02.75 © North-Holland

66 J. Rub&, C,H. West/Protocol Validation Technique

An obvious disadvantage of global-state generation techniques is that the number of states that must be considered may be large. The point at which the number of states needed renders the technique inappli- cable depends on the complexity of the protocol and how the validation is performed. Automated validation permits the analysis of several orders of magni- tude more states than may be practicable without computer assistance.

2.2. The Perturbation Technique

Here we are primarily concerned with one example of a global-state generation validation technique [1] which we refer to as the perturbation technique in order to distinguish it from other, similar techniques. This combines a particular formal model, method of state generation and set of error-detection criteria, in an automated system that has been used to validate several protocols [10,11]. It is one of a number of closely related methods developed with the same general philosophy [12].

The model of a communication system used in the perturbation technique is as follows. The system is defined by a number of interacting processes that communicate only by exchanging messages. Each communicating process is represented as a finite- state machine that may send or receive a message when it executes a state transition. Communication paths between processes are modeled as queues that may contain any number of messages up to a predefined limit. Starting from an initial system state, defined by the states of the individual processes and queues, all system states accessible within the bounds of the message queues are generated. States in which the number of messages in a queue exceeds the predefined limit are not explored. The existence of system states in which the queue bounds are exceeded may indicate that the validation is incomplete, but is not sufficient to demonstrate incompleteness. This will be discussed in section 4.

The principal errors searched for are deadlocks and incomplete design, the latter manifested by a system state in which a process has no defined transition from its current state that corresponds to a message received. More generally, any error that can be expressed in terms of the parameters defining the system state can be detected. The validation generates a system state transition graph that describes the total system behavior. In principle, an analysis of this graph may detect errors that are properties of transi-

tion sequences rather than of particular global states. Examples of properties of this type are liveness and tempo-blocking, which are discussed by Merlin [6].

2.3. Redundancy in the Perturbation Technique

An important feature of the validation is that no timing constraints are placed on the protocol execution. This is done by exploring, from the current state of the system, all transitions that consist of a single state change in any of the component processes. This approach has the advantage of conceptual simplicity, but the disadvantage of redundancy when more than one process can execute a state transition from a given system state. A few examples will illustrate the nature of the redundancy.

Consider the two-process system shown in Figure 1. Process 1 can send messages to process 2 by executing a state transition S ~2, thus placing a message in the FIFO queue Q~2. At some later time, the message arrives at process 2 which can then receive it by executing a state transition R 21 . The latter transition may represent correct reception of the message or model the occurrence of some error condition. Com- munication proceeds similarly in the other direction. For the current discussion, it is not necessary to distinguish between different messages or states of the two processes, even though each transmission and reception may involve different messages and state transitions. We will assume that the message transit time is finite but otherwise unspecified. In these cir- cumstances, each process has no knowlege of the time ordering of the state transitions in the other, except insofar as they influence the order of the messages it transmits and receives. The result of executing a series of message exchanges depends only on the transitions that each process has executed, and is otherwise independent of time.

We will def'me a sequence as a series of execution steps, each consisting of a process sending or receiving a message. In addition, we will require that a

S TM [ II ~ R 21

I I " Is,, Q21

Fig. 1.

J. Rubin, CH. West/Protocol Validation Technique 67

sequence starts and ends in a stable system state, defmed as one in which all message queues are empty. This restriction simply requires that protocol execution periodically results in a global state in which all transmitted messages have been received.

Suppose in a simple protocol that process 1 sends three messages to process 2 via a queue that has a maximum capacity of three messages. Starting from the initial state with no messages in the queue, the above state exploration algorithm will generate a second system state in which process 1 has executed a transition S x2 and one message is in the queue Q~2. From the second state, and all subsequent states until all messages have been sent, process 1 can send further messages, and process 2 can receive the first incoming message, so that two transitions from each system state are possible. The validation system will thus generate system states and system-state transitions corresponding to the five sequences shown in Table 1.

The five sequences shown have the common pro- perry that both processes execute the same sequence of interaction steps - that is, process 1 sends three messages, and process 2 receives three. They differ in the system states that are traversed, and the maximum number of messages underway. Sequence 5 can only be executed if at least three messages are allowed in the queue, sequence 1 requires only a single queued message, and the others require two. In order to detect the errors with which we are primarily concerned, it is only necessary to exercise one of the sequences since all contain the same series of steps at both processes. Exercising the other sequences represents redundant computation.

It may be useful to exercise the others to analyze system properties that depend on the relative ordering of transitions in the two processes. One example of such a property is the maximum number of messages that may be in a queue. Properties of this type will be discussed in section 4.

As a second example, consider a collision that results when both processes concurrently send a message to each other. Process 1 executes S 12 R 12, first sending a message and then receiving one. Process 2 executes S 21 R 2~ , also sending and then receiving, so that the two messages pass in the communication medium. The transitions forming the collision can be time ordered in four different sequences as shown in Table 2, each of which will be exercised.

As in the previous example, the four sequences represent the same interaction steps in each process, yet traverse different system states. In order to analyze the collision, it is only necessary to exercise one o f the sequences.

Both of the above examples illustrate an intrinsic redundancy in the state exploration algorithm used. Exploring all exits from a state has undesirable con- sequences when more than one process can execute a state transition from a given global state. In a suc- cessor state, reached by executing a transition in one of the processes, the same transitions may still be executed in the other processes as were possible in the preceding state. The global states and state transitions corresponding to all possible time orderings of the individual transitions are thus explored, even when the protocol behavior is independent of the ordering.

From the above discussion, it is clear that the problem of redundancy in the validation is related to there being insufficient information within the system to impose a precise time ordering o f events. Lamport [13] has shown how logical clocks and the exchange of timestamped messages in a distributed system can be used to order the events in the system. As the systems we are considering do not necessarily exchange timestamp information, we must fred other techniques to impose ordering if we are to remove the redundant computation from the validation procedure.

Table 1. Sequences generated by three successive sends.

Sequence Transitions Number

1 S 12 R 2] S 12 R 21 S 12 R 21

2 S 12 S 12 R 2x R 21 S 12 R 21

3 S 12 R 2 t S 12 S 12 R 21 R 21

4 S 12 S 12 R 21 S 12 R 21 R 21

5 S 12 S 12 S 12 R 21 R 21 R 21

Table 2. Sequences generated by a collision.

Sequence Transitions Number

1 S 12 S 21 R 12 R 21 2 S 12 S 21 R 21 R 12 3 S 21 S 12 R 12 R 21 4 S al S 12 R 21 R 12

68 J. Rubin, CH. West/Protocol Validation Technique

3. Canonical Sequences

We have shown in the previous section by means of two examples, that a simple global state exploration algorithm results in redundant computation. In this section, we will show for a two-process interaction that this redundancy can be removed by im- posing a transition ordering rule when more than one process can execute a state transition from a given global state. This leads naturally to the concept of decomposing message exchange sequences into series of non-decomposable interactions, equivalent to the empty medium abstraction proposed by Bochmann [7].

Consider a two process interaction sequence S that has N steps, starting and terminating in a stable system state. Each step consists of the sending of a message in process 1 (R 12) or process 2 (R21). The exact sequence of the four possible operations at each step is dependent on a number of factors in any given sequence.

First, it depends on the paths being traversed in the state diagrams defining the logical structure of the two processes, and hence the sequence of sends and receives that each process can execute.

Second, it depends at any point on the contents of the message queues: messages cannot be received unless they have akeady been sent.

Third, it it depends on the particular timing sequence of independent operations in the two processes. It is this dependence that we wish to eliminate from our analysis.

Suppose that at an intermediate point in the sequence the last step executed in the sequence was S(/), and that the number of messages in Q12 and Q2J at this point are Nm(/) and N21(/) respect!vely. Then Nm(/) is simply the number of messages sent by process 1 less the number of messages that have so far been received by process 2 and cannot be negative i.e.

N 12 (/) = Sum(S(J) = S 12 for J ~</)

- Sum(S(J)=R ~1 forJ~</)

and

N12(10 >/O.

From the definition of a sequence it follows that N 12 (N) = 0. Similar relations define N a 1.

Suppose we now write the sequence in terms of two subsequences A and B, where A represents the

steps executed by process 1 and B the steps executed by process 2. As N 12 (N) = A/21 (N) = 0, each send in either process has a corresponding receive in the other. It follows that the length of the subsequences A and B are the same and both equal to M = N/2.

The sub-sequences A and B do not uniquely define S. In general, there will be more than one sequence corresponding to a particular pair of subsequences. The two examples used in section 2.3 illustrate this.

We may thus divide the set of all sequences into sets of equivalent sequences, where each set of equivalent sequences has as members those sequences expressible in terms of a specific pair of sub-sequences (A, B). On the basis of the discussion in the previous section, we will suppose that it is not necessary to analyze all sequences, merely one member of each equivalent set that we will designate as a canonical sequence. We will first define the canonical sequence and show that it is a legitimate executable sequence, and then discuss the implications of exercising the protocol in this way in section 4.

The proposed canonical form of a sequence S, is to choose transitions palrwise, where each pair contains one transition from each of the subsequences A and B. Within the pair, the event at A is chosen first, unless that event is a receive from an empty queue, in which case the event at B is chosen first.

Theorem: In a two process system as described above, the canonical equivalent o f any executable sequence S is an executable sequence.

Assume that we have executed all steps as far as step K in both A and B. If we can always execute both A(K + 1) and B(K + 1) before executing either A(K + 2) or B(K + 2), independent of K, then the whole sequence may be executed in this way.

We will first derive a simple relation between the number of messages sent but not received after the Kth step in both subsequences.

At all times, Q12 contains N 12 messages, equal to the number of sends in A less the number of receives in B. Since a sequence by definition starts with the message queues empty, we can write the queue contents after K steps in both A and B as

N12 (K) = Sum(A(J) = S 12) - Sum(B(J) = R 21)

for J~<K)

and

N a 1 (K) = Sum(B(J) = S 2 ' ) - Sum(A (a t) = R 12 )

for J<~K)

J. Rubin, C.H. West/Protocol Validation Technique 69

The number o f steps K executed is simply the sum of the sends and receives in each process

K = Sum(A(J) = S 12) + Sum(A(J) = R 12)

for J < K )

steps A(J) and B(J) where J < K are executed before executing the pair A(K) and B(K).

4. Implications of Canonical Sequences

and

K = Sum(B(/) = S 21) + Sum(B(J) = R 21)

for J~<K)

From which it follows that N 12 (K) = ?¢ a 1 (K). Note that the above equality is a property of the

position in the two subsequences, not o f the algorithm defining the order in which previous steps in A and B were chosen for execution. Since an executable sequence cannot traverse states in which N z2 and N 21 are negative, after executing K steps in both subsequences the queue contents are both zero or positive and equal.

Let us consider the case when the queue contents after K steps are both zero. When the queues are empty, the next step in both subsequences cannot be a reception if the sequence is executable. Therefore when N12(K) = N2X(K) = 0 it follows that A(K + 1) = S 12 and/or B(K + 1) = S 21.

Suppose that A(K + 1) --- S ~2 , then B(K + 1) may be S 21 or R 21 . Considering the second case B(K + 1) = R 2~ , we can execute the two steps A(K + 1), B(K + 1) in sequence, with the result that a message has been transferred from process 1 to process 2 and the system returned to a stable state.

If A(K + 1) = R 12 and B(K + 1) = S 21, then we must execute the two steps in the order B(K + 1), A(K + 1) with a message being transferred from process 2 to process 1 and both message queues being empty. I f A ( K + 1) and B(K + 1) are respectively S x2 and S 21 , we can execute them either in the sequence A(K + 1), B(K + 1) or B(K + 1), A(K + 1). We will arbitrarily prefer the former.

We can therefore always execute the next step in each process without exercising the (K + 2)th step in either when the queues are empty.

When the queues are not empty, all combinations of sends and receives may occur as the next steps in A and B as there is a message underway in both directions.

If a sequence S is therefore expressed as two subsequences A and B containing the sends and receives executed in both processes, it is possible to execute the sequence in an order such that all interaction

We have so far shown that it is possible to write a sequence S in a canonical form consisting o f two subsequences A and B, each containing the state transitions executed by one of the two interacting processes, and that it is always possible to execute the canonical form pairwise, one transition from each subse- quence. In this section we will discuss a number of topics related to incorporating the concept of canonical sequences into global state exploration algorithms. We will show first that the concept of canonical sequences leads naturally to dividing the protocol execution into a series of basic interactions, closely related to the empty medium abstraction proposed by Bochmann. We will then discuss the effects of incorporating canonical sequences into global state exploration algorithms. Three points will be discussed: reduction in the number of states to be examined, significance of the validation results, and increased understanding of the limits of a partial validation.

4.1. Basic Interactions

The exercising of the interaction domain by means of canonical sequences can be envisaged as taking place according to the state diagram shown in Figure 2. The vertical lines represent system states charac- terized by the number of messages contained in Q12 and Q21, the transitions between states being labeled with the pairs of interaction steps (A(I) B(I)) exercised. A path through the above state diagram that starts and ends in state 0 with the message queues empty, without any intermediate traversals of that state, we will refer to as a basic (or nondecomposable) interaction between the processes. Basic interac-

(S TM S 21 )

(S TM R 21) o r

(S 21 R 12 )

(R 12 R 21 )

2 (512 521) ~ l~

(5 TM R 21) o r

(R 12 S 21 )

] (R TM R 211 1~

Fig. 2.

N-I (S TM 5 21 ) (S 12 S 21) J •"" PW

(S TM R 21) | (5 TM R 21)

(R 12 5211 (R 12 5211

(R12. R21 l~ (R12 R 21)

70 J. Rubin, CH. West/Protocol Validation Technique

tions have the property that they cannot be divided into simpler interactions without changing the sequence of interaction steps that the two processes execute. We will define the order of a basic interaction as being the highest number state that must be traversed for the interaction to be exercised.

The simplest basic interactions are single message exchanges in both direction (A, B --- S 12, R 2x and A, B = R 12, S 2x) and are of order zero. The next simplest is of order 1, a collision A, B = S 12 R x2, S 21 R 2~ . These interactions are shown in diagrama- tic form in Fig. 3, together with a sample, more complex first order interaction. Arrows indicate the direction of message flow, and the vertical bars the state transitions in the two processes.

The algorithm we have chosen for exercising the canonical sequences is closely related to the empty medium abstraction proposed by Bochmann. He suggested that a simplified view of a protocol is to consider only states in which the communications medium is empty (which we are calling stable states), and that this may be done by directly coupling transitions in the sender and receiver. He points out that

A,B = S~2, R 21

S12 1 ~ $21

R12L [

, = 512 R12, $21 R21 u

s12 l

R12~

1 ~ S 21

R21 A,B = S TM S TM R TM R 12, S 21 R 21 S ~1 R 21

a difficulty is deciding which pairs of directly coupled transitions need be included in the analysis of a protocol.

The algorithm described here determines the basic interactions that lead from one stable state of the system to the next by coupling pairs of transitions in the two processes, and considering intermediate states with a non-empty transmission medium when necessary.

4.2. Canonical sequences and global state exploration algorithms

It is interesting to consider the state diagram of Fig. 2 in relation to global-state generation techniques o f protocol validation o f which the perturbation technique is an example. The latter exercises all states of a system within predefined limits of the message- queue sizes. By executing from each reachable state all combinations of pairs o f transitions in two processes instead of just single state transitions, the global state generation is modified so as to execute all canonical sequences o f the protocol instead of all sequences.

It should be noted that when the design of a pro- tess is incomplete, there may be no transition corresponding to the reception of a particular incoming message in the receiving process. In this case the con- tinuation of the series of events to form a complete sequence is not possible as the protocol does not spe- cify how to proceed and an error has been detected.

Execution of only canonical sequences reduces the number of states analysed, as only those states are accessed in which equal numbers of messages underway in both directions are generated. The reduction in number of states that may be achieved is a function of the protocol and of the maximum size of the message queues.

As an exercise, we have determined the effect of applying this algorithm to our earlier validation of the X.21 interface [10]. With no more than one message outstanding in either direction, a 58% reduction in the number of states was found. With larger queues the reduction was more substantial, although it should be noted that this particular protocol is not designed to operate in these conditions. With no more than two and three messages outstanding, the number of generated states was reduced by 74% and 83% respectively.

Fig. 3.


4.3. Canonical sequences and the significance o f validation results

The advantage of the improvement in efficiency is of limited value if the validation results are compro- mized. Exploring just the canonical sequences is not in all respects equivalent to exploring all sequences. The effect depends on the protocol properties that are to be validated. The properties that our validation procedure has primarily been concerned with are not affected.

If execution of a sequence leads to a deadlock, then execution of its corresponding canonical sequence will also lead to the same deadlock, since each process traverses the same series of states and state transitions in both cases. Similarly, if the system contains an unspecified reception, then our procedure for generating only canonical sequences will also dis- cover it.

Since the canonical sequences as defined only traverse states in which the message queues contain equal numbers of messages, the reachability of other types of global states is not determined. This has implications if the validation addresses other protocol properties. The most significant is that state exploration using canonical sequences does not deter- mine whether or not maximum queue sizes can be exceeded during protocol execution.

Other properties are less seriously impacted. For example, the determination of adjoint states [7] is dependent on exercising all possible states of the communications medium, which is not done if canonical sequences are used. However, our experience is that the concept of adjoint state is most useful when it is restricted to states where the communications medium is empty. In this case, exploration using canonical sequences has no impact as the reachability of empty medium states is not affected.

Similar reservations apply to other properties such as liveness, effective progress etc., but these can be adequately expressed in terms of the states reached by the canonical sequence algorithm.

In general, the restrictions that the use of canonical sequences implies are minor and are more than compensated for by the ability to validate more complex protocols as a result of the reduction in the number of global states generated.

4.4. Limits o f validation

In global state exploration with limited queue sizes, it is obvious that sequences that traverse system

states in which the message-queue limits are exceeded cannot be exercised. From the above discussion, it is clear that the effect of exercising such sequences may be largely determined by exercising their equivalent canonical sequences in so far that the maximum order of interaction they contain is compatible with the queue size limit.

Limiting the queue sizes during state exploration is thus equivalent to limiting the maximum order of basic interactions that can be explored. If any protocol sequence contains basic interactions that cannot be exercised the validation may be incomplete.

An example of a sequence that would not be validated if only one message were allowed in the queues in both directions would be a double collision-

A , B = S 12 S 12 R12 R12, $21 S 21 R 21 R21 .

In this case, the validation would be unable to deter- mine if the sequence might lead to a deadlock or other error condition in states accessible only if the sequence were exercised.

For protocols containing basic interactions of an arbitrary complexity, validation procedures therefore have a fundamental limitation, and cannot be viewed as complete. Similar conclusions have been reported concerning the limits of application of design rules

[141.

5. Basic interactions in more complex systems

We have so far discussed the concept of a basic interaction in a system consisting of two processes linked by FIFO queues. Basic interactions can also be defined for communicating systems with more interacting processes and]or communication media which have properties that must be modeled with different types of queues.

As in the simple two-process case, one can define sets of equivalent sequences in which all interacting processes execute the same series of interaction steps. A canonical sequence representative of each set can be defined, and the concept of a basic interaction, an indivisible sequence of interaction steps linking two system states with the queues empty, can also be introduced.

The nature of the basic interactions in a multiprocess system is more complex than in the two-process case. This is because there are mechanisms that con- tribute to the formation of the interactions that are not present in the simple two process case discussed

72 3". Rubin, CH. West/Protocol Validation Technique

above. This can be illustrated by a few simple basic interactions that involve three processes. The first is a three-process collision

A, B, C=S 12 R 13, S 23 R 21, S 31 R 32

which is a straightforward generalization of a two- process collision.

The second shows a reordering mechanism that can occur in multiprocess interactions, but is absent in two-process interactions unless messages can be reordered in the communication medium. The interaction

A,B, C = S 13 $12,R 21 S23, R 32 R 31

has process 1 sending successive message to processes 3 and 2. Process 2 then sends a message to process 3 which arrives before the earlier message sent by process l.

The third example illustrates an interference mechanism, by which a two-process interaction is interrupted by an interaction of one of the processes with a third. In the interaction

A, B, C = S 12 R 12, S 21 R 23 R 21 , S 32

processes 1 and 2 are involved in a collision which is interrupted by a message exchange between processes 3 and 2.

By attempting to generate all basic interactions in systems with more than two processes, we have found that the number of possible interactions increases ra- pidly with the number of interaction steps they contain. The three mechanisms described above combine to produce a great variety of interactions that are dif- ficult to understand and classify. A classification that provides a measure of the interaction complexity and probability of occurrence in a system is important to understand the limits of global-state generation validation procedures. We are currently investigating algorithms that can be used to validate multiprocess systems by exercising only basic interactions ordered in a canonical sequence. Several algorithms are being considered, and further work is needed to understand their relative efficency.

6. Conclusions

We have discussed some redundancy in the calcula- tions involved in a global-state generation method of protocol validation and shown how it can be reduced by recognizing that each message exchange is decom-

posable into basic interactions, in which individual state transitions are sequenced in a predefined canonical manner.

The simplest, zero-order, basic interactions are the only ones that need be considered when analyzing regular systems as defined by Bochmann, although higher order interactions may actually occur during the system's execution. Performance constraints in systems where communication delays may be significant often require system design permitting the occurrence of the more complex interactions. Although this is rarely desired, particular timing constraints may produce them in systems requiring optimum performance. Designers should therefore understand the nature of basic interactions so that they can design adequate recovery mechanisms when they do occur.

Our experience with protocol validation has shown that a lack of provision for recovery from all of the interactions implied by the protocol design is a major source of design errors.

The validation technique has proved to be a useful tool to identify when complex interactions can occur within a communication system. By building a means of exercising particular classes of interactions into the validation procedure it is possible to achieve two significant improvements. First, the validation procedure is made more efficient, as many sources of redundant computation are removed. Second, when the, protocols validated are sufficiently complex that a ) complete validation cannot be performed, it is possible to state clear limits defining the completeness of the validation in terms of the types of interactions explored.

References

[1] C.H. West, "General Technique for Communications Protocol Validation," IBM J. Res. Develop., Vol. 22, No. 1, (July 1978), pp. 393-404.

[2] G.V. Bochmann, "Distributed Systems and Regularity," Computer Networks, Vol. 3, (1979), pp. 36-43.

[3] G.V. Bochmann and C. Sunshine, "Formal Methods in Communication Protocol Design," IEEE Trans. Com- mun., Voi. COM-28, No. 4, (April 1980), pp. 624-631.

[4] M.G. Gouda and E.G. Manning, "On the Modelling, Analysis and Design of Protocols - A Special Class of Software Structures," Proc. Second Int. Conf. on Soft- ware Engineering, San Francisco, U.S.A., (Oct. 1976), pp. 256-262.

[5] C.A. Sunshine, "Survey of Protocol Definition and Verification Techniques," Computer Networks, Vol. 2, (1978), pp. 346-350.


[6] P.M. Merlin, "Specification and Validation of Proto- cols," IEEE Trans. Commun., Vol. COM-27, No. 11, (Nov. 1979), pp. 1671-1680.

[7] G.V. Bochmann, "Finite State Description of Commu- nication Protocols," Computer Networks, Vol. 2, (1978), pp. 361-372.

[8] C.A. Sunshine, "Formal Modelling of Communication Protocols," Technical Report ISI/RR-81-89, Informa- tion Sciences Institute, University of Southern Califor- nia, March 1981.

[9] J. Hajek, "Automatically Verified Data Transfer Proto- cols," Proc. International Conf. on Computer Commu- nications, Kyoto, Japan, (Sept. 1978), pp. 749-756.

10] C.H. West and P. Zafiropulo, "Automated Validation of a Communications Protocol: the CCITT X.21 Re- commendation," IBM J. Res. Develop., Vol. 22, No. 1, (Jan. 1978), pp. 60-71.

[11] G.D. Schultz, D.B. Rose, C.H. West, and J.P. Gray "Executable Description and Validation of SNA," IEEE Trans. Commun., Vol. COM-28, No. 4, (April 1980), pp. 661-677.

[12] P. Zaf'tropulo, C.H. West, H. Rudin, D.D. Cowan, and D. Brand "Towards Analyzing and Synthesizing Proto- cols" IEEE Trans. Commun., Vol. COM-28, No. 4, April 1980, pp. 651-661.

[13] L. Lamport, "Time, Clocks and the Ordering of Events in a Distributed System," CACM, Vol. 21, No. 7, (July 1978), pp. 558-565.

[14] D. Brand and P. Zafiropulo, "Synthesis of Protocols for an Unlimited Number of Processes," Proc. "Trends Applications: 1980," Computer Network Protocols Syrup., Gaithersburg, Md. (May 1980), pp. 29-40.

an improved protocol validation technique

Documents