Abstract. Formal methods have been applied frequently to analyze (critical parts of) standards for communication protocols and it has been demonstrated that their application may help to improve the quality of these standards. Nevertheless, despite several decades of formal methods research, formal methods notations have rarely been included in the authoritative part of protocol standards. Also, the relationships between (abstract) formal models and informal protocol standards are typically obscure. It is our ambition to improve this situation. To establish the current state-of-the-art, we report in this paper on a case study in which Uppaal is used to formally model parts of Zeroconf, a protocol for dynamic configuration of IPv4 link-local addresses that has been defined in RFC 3927 of the IETF. Our goal has been to construct a model that (a) is easy to understand by engineers, (b) comes as close as possible to the informal text (for each transition in the model there should be a corresponding piece of text in the RFC), and (c) may serve as a basis for formal verification. Our conclusion is that Uppaal, which combines extended finite state machines, C-like syntax and concepts from timed automata theory, is able to model Zeroconf in a faithful and intuitive manner, using notations that are familiar to protocol engineers. Our modeling efforts revealed several errors (or at least ambiguities) in the RFC that no one else spotted before. We also identify a number of points where Uppaal still can be improved. After applying a number of abstractions, Uppaal is able to fully explore the state space of an instance of our model with three hosts, and to establish some correctness properties.

In this paper we report about modelling and verification of a medium access control protocol for wireless sensor networks, the LMAC protocol. Our approach is to systematically investigate all possible connected topologies consisting of four and of five nodes. The analysis is performed by timed automaton model checking using Uppaal. The property of main interest is detecting and resolving collision. To evaluate this property for all connected topologies more than 8000 model checking runs were required. Increasing the number of nodes would not lead only to state space problem, but to much more extent cause an instance explosion problem. Despite the small number of nodes this approach gave valuable insight in the protocol and the scenarios that lead to collisions not detected by the protocol, and it increased the confidence in the adequacy of the protocol.

An overview is presented of the state-of-the-art in model-based verification and validation of embedded systems, directed towards an industrial audience. Verification and validation consists in exploring the current design against properties expressed as part of the requirements. It includes testing, model checking, runtime verification and fault-diagnosis, and more exploratory techniques such as the use of theorem proving. During recent years, much progress has been made in theory, methods and tools for model-based verification and validation. In this paper, I will try to indicate for what type of practical problems it pays off to apply one of these modern techniques. Special attention will be paid to the results of six PROGRESS projects in this area. Embedded systems are highly specializable, often reactive, sub systems that provide, unnoticed by the user, information processing and control tasks to their embedding system. Embedded systems are omnipresent nowadays and make possible the creation of systems with a functionality that cannot be provided by human beings. Example application areas are consumer electronic products (e.g. CD

We report on a case study in which the model checker Uppaal is used to formally model parts of Zeroconf, a protocol for dynamic configuration of IPv4 link-local addresses that has been defined in RFC 3927 of the IETF. Our goal has been to construct a model that (a) is easy to understand by engineers, (b) comes as close as possible to the informal text (for each transition in the model there should be a corresponding piece of text in the RFC), and (c) may serve as a basis for formal verification. Our modeling efforts revealed several errors (or at least ambiguities) in the RFC that no one else spotted before. We present two proofs of the mutual exclusion property for Zeroconf (for an arbitrary number of hosts and IP addresses): a manual, operational proof, and a proof that combines model checking with the application of a new abstraction relation that is compositional with respect to committed locations. The model checking problem has been solved using Uppaal, and the abstractions have been checked either by hand or by using Uppaal-Tiga.

structure exploitation as key techniques in controlling and reducing the complexity involved in analyzing real-time system models. Abstraction and compositionality are well established for model checking and theorem proving approaches to discrete state system verification. Abstraction — either based on generic principles (like from timed to untimed systems, infinite data domains to finite one) or on case-specific user suggested simplifications — serves to simplify the models by omitting aspects that are not relevant for analysis. Compositionality provides a divide-and-conquer approach to manage complexity: properties of complicated systems are inferred from properties of their components. For the verification of finite-state systems a number of techniques for exploiting the composite structure of the model exists. Partial order reduction and compositional backwards reachability are methods which help to reduce search spaces for loosely coupled concurrent components. Likewise, methods exploiting symmetries and hierarchical structure have shown to be very successful. This deliverable presents a brief overview of the results obtained by Ametist that relate to abstraction and compositionality. A discussion of the (impressive) results on structure exploitation will be deferred to Deliverable 2.1.2, that is due next year. In fact, most of the efforts in Task