M. A. Bezem and J. F. Groote, "A formal verification of the alternating bit protocol in the calculus of constructions," Dept. of Philosophy, Utrecht University, Logic Group Preprint Series 88, Mar. 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....algorithms. crl has been extended with features to express time [Gro97] but the tools do not support this extension, except for the possibility to check the static semantic constraints. The tool set is constructed around a restricted form of crl, namely the linear process operator format (lpo) BG93] The tool mcrl checks whether a certain specification is well formed crl and attempts to transform it into a linearised (i.e. lpo) form. This linearised form is stored in binary form (more precisely in binary aterm format, also called tool bus format ( tbf) All other tools use this ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report 88, Utrecht University, Logic Group Preprint Series, 1993. ftp://ftp.phil.uu.nl/pub/logic/PREPRINTS/preprint88.ps.Z.

....into it a specific process algebra, so it is not possible for users to define their own calculi. Recently some work has been going on using existing general theorem prover based on higher order logic, such as HOL and Coq, to carry out axiomatisation based proofs in process algebras ( Nes 91, BG 93] Exploiting these theorem provers has the advantage that the powerful mechanism of rewriting, mathematical induction and tactics that are built into them are freely available. On the other hand general theorem provers lack facilities specific for process algebras. Encoding process calculi in ....

....do not support reasoning with recursively defined processes, application of the unique fixpoint induction has to be done by manual substitution ( Nes 91] Also proofs tend to be long and hard to read. For instance the proof file for the alternate bit protocol in Coq is as big as 200Kbyte ( BG 93] while a proof of a similar problem in PAM consists of less than 200 lines. PAM is written in Standard ML. The graphic user interface is implemented using eXene, an X window system interface for the New Jersey ML compiler [RG 91] Acknowledgements Many thanks to Matthew Hennessy for ....

Bezem, M., Groote, J.F., A Formal Verification of the Alternating Bit Protocol in the Calculus of Constructions, Report No. 88, Department of Philosophy, Utrecht University, 1993.

.... SABP is specified correctly: does the entire process, apart from its internal actions, behave as a one element buffer Or, to put it differently, can we prove that I;P (SABP ) Sigma D;P (r 1 Delta s 3 ) ffi where I = fc ; c 2 ; c 4 ; c 5 ; ig As is usual (cf. e.g. BK86] Vaa90] [BG93]) we assume that the following principles are satisfied in the algebra in which we model SABP: Table 10. The function symbols of SABP 0; 1 : B i; r ; s ; c : A c r1 ; s3 : D A c r2 ; s2 ; c2 : B A c r4 ; s4 ; c4 ; r5 ; s5 ; c5 : D (B A c ) S; M;R;SABP : P G : B P T : D ....

M. Bezem and J. F. Groote. A formal verification of the Alternating Bit Protocol in the Calculus of Constructions. Logic Group Preprint Series, no. 88, Department of Philosophy, University of Utrecht, 1993.

....proof checking is done using the system Coq (see [4] a proof assistant based on type theory. This case study (consisting of giving a formal proof and checking it in Coq) is part of a series of such case studies. Protocols that have been verified in this way are the Alternating Bit Protocol [2], a Bounded Retransmission Protocol [10] both in the setting of ACP and CRL, and the same Bounded Retransmission Protocol in the setting of I O automata [14] Among these exercises, the verification of Milner s scheduler stands out, because this protocol has quite a complicated interaction ....

....roughly 30 consists of lemmas concerning the data types. The remaining 50 is divided equally over the other sections. In appendix D, we give a short description of Coq and a small example of a Coq session. For a more detailed exposition of the implementation of process algebra in Coq we refer to [2, 19]. In this paper we concentrate on showing how to formalise specifications and proofs in such a way that their correctness can be verified automatically. Three points deserve mentioning. First, the correctness proof in this paper is given within the so called branching bisimulation (see [8] This ....

M. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report Logic Group Preprint Series No. 88, Utrecht University, 1993.

....as well as the basic data types employed by the protocol, the use of LP even leads to a reduction in the size of the proofs. However, their example is quite simple (there is no need to establish state invariants) and it remains to generalize these results to larger examples. Bezem and Groote [3] have used Coq to check a verification of the alternating bit protocol in process algebra. Their proofs are essentially based on rewriting. Recently, Groote and Van de Pol [12] have also verified the Bounded Retransmission Protocol 39 in process algebra using Coq. Whether one prefers process ....

M. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Logic Group Preprint Series 88, Dept. of Philosophy, Utrecht University, March 1993.

....virtue of such tools is that they permit the analysis of systems such as those that are parameterized or manipulate data that lie beyond the scope of fully automated tools; their disadvantage is that they can require substantial user interaction. Sample tools include PVS [ORS92] and Coq CRL [BG93] which both enrich type theories for manipulating values with notions of concurrency and which have been used to prove the correctness of parameterized systems and distributed algorithms and protocols; STeP [BBC 96] which provides automated support for establishing that concurrent systems ....

M. Bezem and J. F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Logic Group Preprint Series 88, Dept. of Philosophy, Utrecht University, March 1993.

....and the latter can be mapped directly to a Promela program and verified using Spin. The formula q in these cases is quite large and a direct proof in Coq involves a lot of detailed repetitive reasoning, which we avoid because of our use of the model checker. In related work, Coq is used in [1, 14] to verify the Alternating Bit Protocol and a data link protocol without the aid of a model checker. In both these proofs the network is fixed. Chou [4] verifies the PIF protocol for arbitrary connected graphs in the HOL theorem prover [11] again without the aid of a model checker. His proof uses ....

Marc Bezem and Jan Friso Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report Logic Group Reprint Series No. 88, Utrecht University, 1993.

....out each of the intermediate terms, for human beings a tedious and extremely error prone task. In this respect, it is much more like the formalization of ACP in Coq by Sellink [S94] which has been applied to various correctness proofs for communication protocols like the Alternating Bit Protocol [BG93]. An intermediate layer is built upon an existing proof checker, which has already been shown useful in the proofs of individual instances, so as to facilitate program correctness proofs. The tool KIV (Karlsruhe Interactive Verifier [HRS90] is similar in approach, although the aim is to verify ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report 88, Logic Group Preprint Series, Utrecht University, March 1993.

....induction, which is a well known technique for proving properties of data by structural induction on terms, with an induction rule. As a result of this purely algebraic character, verifications in CRL lend themselves very well for automated proof checking. As examples of such work we mention [BG93, KS93]. For a brief overview of CRL and its proof theory, and a survey of verifications of concurrent systems in it we refer to the paper [GP94] The derivation and use of alternative induction schemes as we use it originates from [GvW94] where a large collection of standard data types and structures ....

M. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report Logic Group Preprint Series No. 88, Utrecht University, 1993.

....are numerous ways to do this things. At this stage the best (correct, efficient) way to follow is not yet clear to us. This paper must be seen as a first attempt. Proofs for Milner s Scheduler and the good old alternating bit protocol are computer checked using the representation introduced here [12, 3]. Recently, Jaco van de Pol checked a CRL proof of the Bounded Retransmission Protocol (BRP) Different from [12] and [3] the BRP proof was checked by building large tacticals that automatically rewrite the huge CRL process terms into some kind of normal form. This seems to save a lot of work. ....

....paper must be seen as a first attempt. Proofs for Milner s Scheduler and the good old alternating bit protocol are computer checked using the representation introduced here [12, 3] Recently, Jaco van de Pol checked a CRL proof of the Bounded Retransmission Protocol (BRP) Different from [12] and [3] the BRP proof was checked by building large tacticals that automatically rewrite the huge CRL process terms into some kind of normal form. This seems to save a lot of work. This paper is organized as follows. In Section 1 we give a short, informal introduction to type theory. Section 2 is an ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report 88, Logic Group Preprint Series, Utrecht University, March 1993.

....a contradiction, now because of lemmaB. Thus, by Reductio ad Absurdum (RAA) discharging the assumption [1] we get (r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) lemmaC] In a derivation format: lemmaC] 1] r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) 2] 20 [3] d = e [4] (r(d) s(e) p q) c(e) p[e d] q) E [3] lemmaA] c(e) p[e d] q) E [4] 1] I] d = e) 5] r(d) s(e) p q) c(e) p[e d] q) E [2] lemmaB] c(e) p[e d] q) E [5] 1] RAA] r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) Because there are no open ....

.... the assumption [1] we get (r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) lemmaC] In a derivation format: lemmaC] 1] r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) 2] 20 [3] d = e [4] r(d) s(e) p q) c(e) p[e d] q) E [3] lemmaA] c(e) p[e d] q) E [4] [1] I] d = e) 5] r(d) s(e) p q) c(e) p[e d] q) E [2] lemmaB] c(e) p[e d] q) E [5] 1] RAA] r(d) s(e) p q) c(e) p[e d] q) c(e) p[e d] q) Because there are no open assumptions left, and consequently d does not occur free in any open assumption, we may apply ....

[Article contains additional citation context not shown here]

M. Bezem and J.F. Groote, A formal Verification of the Alternating Bit Protocol in the Calculus of Constructions, Logic Group Preprint Series No. 88 - March 1993, Department of Philosophy Utrecht University, Utrecht 1993.

....proof checking is done using the system Coq (see [4] a proof assistant based on type theory. This case study (consisting of giving a formal proof and checking it in Coq) is part of a series of such case studies. Protocols that have been verified in this way are the Alternating Bit Protocol ([2]) a Bounded Retransmission Protocol ( 11] both in the setting of ACP and CRL, and the same Bounded Retransmission Protocol in the setting of I O automata ( 15] Department of Software Technology, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands, e mail: henri cwi.nl. y Department of ....

....roughly 30 consists of lemmas concerning the data types. The remaining 50 is divided equally over the other sections. In Appendix D, we give a short description of Coq and a small example of a Coq session. For a more detailed exposition of the implementation of process algebra in Coq we refer to [2, 18]. In this paper we concentrate on showing how to formalise specifications and proofs in such a way that their correctness can be verified automatically. Three points deserve mentioning. First, the correctness proof in this paper is given within the so called branching bisimulation (see [8] This ....

M. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report Logic Group Preprint Series No. 88, Utrecht University, 1993.

....as well as the basic data types employed by the protocol, the use of LP even leads to a reduction in the size of the proofs. However, their example is quite simple (there is no need to establish state invariants) and it remains to generalize these results to larger examples. Bezem and Groote [3] have used Coq to check a verification of the alternating bit protocol in process algebra. Their proofs are essentially based on rewriting. Recently, Groote and Van de Pol [12] have also verified the Bounded Retransmission Protocol in process algebra using Coq. Whether one prefers process ....

M. Bezem and J. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Logic Group Preprint Series 88, Dept. of Philosophy, Utrecht University, Mar. 1993.

....problems. The most important is that proofs contain very many trivial steps. For human beings it 2 2. DEFINITION OF EXTERNAL BEHAVIOUR OF THE PROTOCOL is hard to guarantee that all these steps are correct. Therefore, we think it necessary to check the correctness proofs with proof checkers [3, 12, 15]. The Bounded Retransmission Protocol of Philips [16] is an example of a distributed system which relies heavily on data. It is a simplified variant of a telecommunication protocol that is used in one of Philips products. The protocol allows to transmit large blocks of data within a limited ....

....of induction that we have not encountered before in protocol verification. Furthermore, the proof turns out to be very compact, given the complexity of the protocol. Furthermore, the whole equivalence proof has been proof checked using the system Coq [5] along the lines set out in [15] see also [3]) This guarantees the highest degree of correctness of the proof that can be attained nowadays. We think that we can savely claim that all lemmas and theorems in this document are correct and that they can be proved correct using only the axioms mentioned in this document. Given the fact that we ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report Logic Group Preprint Series No. 88, Utrecht University, 1993.

....for algebraic reductions of processes. In particular, simple and elegant correctness identities such as given in section 3 cannot be formulated. There are two other points that deserve mention. First, the proof system of CRL has been defined in such way that it allows for automatic proof checking [Sel93, BG93b, GP93, KS94]. This is important, as a minor mistake in a program or a protocol may have disastrous impacts. And actually, we have so often detected oversights in calculations that we may expect that also the proof in this paper is not completely flawless. The only way to systematically increase the ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report 88, Logic Group Preprint Series, Utrecht University, March 1993.

....the theory must be made effective. This means that either the formal proof cannot contain a too large number of steps, which can all be entered by hand, or the proof checker allows that large parts of the proof are constructed by the checker. In one of our earliest encounters with a proof checker [8], we expanded the parallel operator into alternative and sequential composition using the standard axioms of ACP [5] Given the large number of applications of axioms that were needed, we had to develop specific expansion theorems. We have spent a lot of effort to make checking process algebraic ....

....ones. Nevertheless, this overview gives a good impression of the state of the art. In the context of process algebra [5] most such checks have been carried out using the language CRL [34] It has been encoded in the Coq system and applied to the verification of the alternating bit protocol [8, 7], Milner s scheduler [47] a bounded retransmission protocol [36] and parallel queues [48] CRL has also been encoded in PVS and a distributed summing protocol has been computer checked in [33] using the methodology presented in [35] Temporal logic has been mainly used for proving safety ....

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Technical Report 88, Logic Group Preprint Series, Utrecht University, March 1993. REFERENCES 24

No context found.

M. A. Bezem and J. F. Groote, "A formal verification of the alternating bit protocol in the calculus of constructions," Dept. of Philosophy, Utrecht University, Logic Group Preprint Series 88, Mar. 1993.

No context found.

M.A. Bezem and J.F. Groote. A formal verification of the alternating bit protocol in the calculus of constructions. Logic Group Preprint Series 88, Dept. of Philosophy, Utrecht University, March 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC