N. Shankar. Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm. Technical Report CR-4386, NASA, 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....can be used to synchronize clocks despite unbounded communication delays. Since probabilistic reading achieves higher precisions than deterministic reading, the protocols achieve synchronization precisions better than those achievable by previously known deterministic algorithms, such as those of [2, 3, 7, 8]. Our algorithms use several new midpoint convergence functions, derived from the original fault tolerant midpoint convergence function of [3] These new convergence functions achieve optimal accuracy: the drift rate of the synchronized clocks is bounded by the maximum drift rate of correct ....

....we make several assumptions; these must be guaranteed by any implementation of the clock synchronization algorithms. Since we use a probabilistic clock reading method and so processes can fail to read correct clocks within a given maximum error, our assumptions are somewhat different from those of [7, 8, 5]. The main differences are in the failure assumptions which limit the number of independent clock reading failures. 4.3.1 Initialization We require that at the start of the first round all correct clocks be within a constant of each other, where will be determined later. Constant is also ....

[Article contains additional citation context not shown here]

N. Shankar. Mechanical verification of a schematic byzantine clock synchronization algorithm. Technical Report CR-4386, NASA, July 1991.

....of a claimed property of a synchronization algorithm is indeed correct. Schneider [7] was the first to observe that correctness of a whole class of clock synchronization algorithms depends on common general assumptions and presented a general theory for that class. Subsequently, Shankar [8] verified Schneider s proof with the help of the EHDM system, a predecessor of the PVS verification system. Miner [2] was able to relax some of the assumptions and extended the reasoning about recovery from transient faults. The theories developed by Shankar and Miner allow for a generic ....

....of the general agreement theory are proved. Thus the formalization of Miner may be regarded as a special case of the general theory. Miner uses several inverse functions that map the local time of a node to real time; such inverse functions are not used in this paper. Miner s [2] and Shankar s [8] fault assumptions cover faulty nodes. Nodes operate according to the algorithm when all messages properly reach their destination. For some applications this assumption is too restrictive. Nodes may be considered as correct even when some messages are lost. For the Welch Lynch algorithm [1] ....

[Article contains additional citation context not shown here]

N. Shankar. Mechanical verification of a schematic byzantine clock synchronization algorithm. Technical Report CR-4386, NASA, 1991.

....In contrast, nonaveraging algorithms use a fixed clock adjustment and a varying period between clock adjustments. Schneider [11] was the first to observe that correctness of averaging algorithms depends on common general assumptions about the applied convergence function. Subsequently, Shankar [13] verified Schneider s proof with the help of the EHDM system, a predecessor of the PVS verification system [7,6,5] Miner [4] was able to relax some of the assumptions and extended the reasoning about recovery from transient faults. The theories developed by Shankar and Miner allow for a generic ....

N. Shankar. Mechanical verification of a schematic byzantine clock synchronization algorithm. Technical Report CR-4386, NASA, 1991.

....S i p S i q generic theory for clock synchronization IC i p , Cfn( C 6 verified clock synchronization for TTP Gamma Gamma Gamma Gamma Psi R Figure 1: Structure of the TTP instance of the generic theory for clock synchronization. verify Schneider s proof [19, 20] and Miner [12] and more recently Schwier and v. Henke [18] have further improved the constraints and the organization of the proof itself, respectively. By following this general two step approach to clock synchronization we can make use of existing PVS formalizations of the generic ....

....generalization, too. They are, however, omitted in this presentation. For a detailed explanation of these and the other conditions we refer to Schneider [17] and Miner [12] a complete generic derivation of the synchronization property from these conditions is given by Schneider [17] and Shankar [19]. 4.2 Deriving abstract properties of the protocol While the formal model of TTP is describing the clock synchronization algorithm on the level of slots, the generic verification is based on the notation of synchronization intervals. In order to exploit the generic proof of clock synchronization ....

N. Shankar. Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm. Technical Report CR-4386, NASA, 1991.

....and verification systems. In [15] clock synchronization algorithms based on interactive convergence are formally verified, and errors in the published analysis [13] were discovered and corrected. A schematic protocol for Byzantine fault tolerant clock synchronization is mechanically verified in [27], with the results compared to the hand proofs in [25] and minor errors in the original exposition were again uncovered. In [23] the Oral Messages algorithm of [12] is similarly verified. In each of these cases, the process of mechanical verification uncovered minor algebraic mistakes, as well ....

Shankar, N., "Mechanical verification of a schematic byzantine fault-tolerant clock synchronization algorithm," NASA Contractor Report NASA 4386, SRI-CSL-91-4, SRI International, Menlo Park, CA, January 1991.

....can be used to synchronize clocks despite unbounded communication delays. Since probabilistic reading achieves higher precisions than deterministic reading, the protocols achieve synchronization precisions better than those achievable by previously known deterministic algorithms, such as those of [2, 3, 7, 8]. Our algorithms use several new midpoint convergence functions, derived from the original fault tolerant midpoint convergence function of [3] These new convergence functions achieve optimal accuracy: the drift rate of the synchronized clocks is bounded by the maximum drift rate of correct ....

....make several assumptions; these must be guaranteed by any implementation of the clock synchronization algorithms. Since we use a probabilistic clock reading method and so processes can fail to read correct clocks within a given maximum error, our assumptions are somewhat different from those of [7, 8, 5]. The main differences are in the failure assumptions which limit the number of independent clock reading failures. 4.3.1 Initialization We require that at the start of the first round all correct clocks be within a constant ffi S of each other, where ffi S will be determined later. Constant ffi ....

[Article contains additional citation context not shown here]

N. Shankar. Mechanical verification of a schematic byzantine clock synchronization algorithm. Technical Report CR-4386, NASA, July 1991.

....As such, they are often the ones engineers have most difficulty convincing themselves they ve got right. In the first years of the program, formal specifications and verifications for these building blocks were undertaken and completed in the following systems: EHDM and later in PVS at SRI [55, 50, 59]; Nqthm, the Boyer Moore prover, at CLI [1, 2, 45, 44, 68] and Clio and the Penelope Ada verification system at ORA [61, 4, 63, 30, 62] Concurrently we gained experience at Langley using a number of the prover systems including EHDM, Nqthm, and HOL. During that time we were primarily occupied ....

Natarajan Shankar. Mechanical verification of a schematic Byzantine clock synchronization algorithm. NASA Contractor Report 4386, July 1991.

.... for this problem [8, Algorithm CNV] and found that the published analysis of this algorithm was incorrect in a number of details [15, 16] Our colleague Shankar has formally verified the generalized clock synchronization paradigm of Schneider [18] and similarly found a number of small errors [19, 20]. In both cases, the formal verification led to improved and simplified presentations of the informal justifications for the correctness of the algorithm concerned. We have often wondered whether formal verification of the Oral Messages algorithm for Byzantine Agreement would yield similar ....

Natarajan Shankar. Mechanical verification of a schematic Byzantine faulttolerant clock synchronization algorithm. Technical Report SRI-CSL-91-4, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1991. Also available as NASA Contractor Report 4386. Bibliography 27

....1991, Rushby 1992] Rushby s model is more general than ours, but assumes a tighter degree of synchronization where voting takes place after every task execution. In addition, Shankar has undertaken the formalization of a general scheme for modeling fault tolerant clock synchronization algorithms [Shankar 1991, Shankar 1992] Several efforts in hardware verification are likewise relevant. Bevier and Young have verified a circuit design for performing interactive consistency [Bevier 1991] while Srivas and Bickford have carried out a similar activity [Srivas 1991] Schubert and Levitt have verified the ....

Natarajan Shankar. Mechanical verification of a schematic Byzantine clock synchronization algorithm. NASA Contractor Report 4386, July 1991.

....and abstract programs written in the Ehdm specification language [24] The specification and verification described here was performed on a Sun workstation using Ehdm Version 5.2.0. 1 Other substantial verifications of fault tolerance properties that have been undertaken in Ehdm are described in [23, 27]. Our specification and verification of the Interactive Convergence Clock Synchronization Algorithm uses only some of the capabilities of Ehdm. Specifically, it uses the functional component of the specification language, the ground prover, and the proof chain analyzer. 2 1 A complete ....

....as is the requirement that a good clock should be a strict monotonic function. Schneider [25] presents a formulation of clock synchronization which treats these aspects more realistically. Our colleague Shankar has conducted a formal specification and verification of Schneider s formulation [27]. 69 A further challenge is to formalize and verify an implementation of the Interactive Convergence Clock Synchronization Algorithm so far, we have simply verified properties of the algorithm itself. Our current work is addressing these challenges; we expect to report our results towards the ....

Natarajan Shankar. Mechanical verification of a schematic Byzantine faulttolerant clock synchronization algorithm. Technical Report SRI-CSL-91-4, Computer Science Laboratory, SRI International, Menlo Park, CA, January 1991. Also NASA Contractor Report 4386.

....the design and verification of SIFT [29] The proof was done by hand in the style of journal proofs. More recently this proof step was mechanically verified using the Ehdm theorem prover[39, 40] In addition, SRI mechanically verified Schneider s clock synchronization paradigm [41] using Ehdm[42, 43]. A further generalization was found at NASA Langley [44] 4 . The design of a digital circuit to distribute clock values in support of fault tolerant synchronization was completed by SRI and was partially verified. 5 CLI reproduced the SRI verification of the interactive convergence algorithm ....

Natarajan Shankar, "Mechanical verification of a schematic Byzantine clock synchronization algorithm ", NASA CR-4386, July 1991.

No context found.

N. Shankar. Mechanical Verification of a Schematic Byzantine Clock Synchronization Algorithm. Technical Report CR-4386, NASA, 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC