Introduction to and comparison of formalisms

Jorma Paananen
Tik-110.501 Seminar on Network Security
Jorma.Paananen@tele.fi

Abstract

This document gives an introduction to a few formalisms. Formalisms are Petri Nets, process algebras (LOTOS), modal logic and temporal logic. Communication protocol examples are given, and the main benefits of using formalisms are discussed.

Table of contents

1. Introduction
1.1. Reasons to use formalisms
2. Petri Nets
2.1. Predicate/Transition Nets
3. Process algebras, LOTOS
4. Modal logic
4.1. Other modal logics
5. Temporal logic
6. Conclusions
References
Related links

1. Introduction

 This is a short introduction to a number of formalisms and the general idea of using them to describe and reason about protocols. The introduced formalisms are Petri Nets, process algebras (LOTOS), modal logic and temporal logic.

1.1 Reasons to use formalisms

The main reason to use formal description techiques, or formal methods, is that they give us tools to analyze protocol models and other systems of interest, and find facts and errors in them, both at the specification level and at the implementation level. Formal methods can be used in performance evaluation, and even to find new inplementation techiques. Checking the conformance between various levels of abstraction is also possible. There currently exist many computer tools, both free and commercial, to help us in using formalisms.

The most difficult part of using formalisms is perhaps in choosing the formalisms to use and the abstraction level of the model. For example in a state machine, based formalisms balancing between a too simple model and a too complex model is hard. A simple model will possibly leave some important details hidden, whereas a complex model can cause combinatorial explosition in the state space.

2. Petri Nets

Petri Nets were first introduced by C.A. Petri in the 60's as a common reference model of the net theory [1, 2, 3]. A basic Petri Net consists of a set of places, a set of transitions and a set of arcs connecting places to transitions and transitions to places. Semantically a Petri Net can be seen as a condition/event graph, where places are conditions and transitions are events. An event can occur if all conditions for the event hold. In a Petri Net, this means that there is a mark in all the places that are connected to the transition as input places. When an event happens, that is, a transition fires, marks are removed from those places and marks are added to all those places that are connected to the transition as output places.

Example: Simplified Alternating Bit Protocol

MIDDLE

This is a graphical representation (a directed net) of a simple communication system modelled as a Petri Net. It represents a simplified version of the alternating bit protocol with a lossy communication channel from the sender to the receiver. In the picture the places are drawn as circles and the transitions are drawn as lines. Arcs from places to transitions and from transitions to places have a direction.

In the figure the sender is ready to send (there is a mark, a token, in the place "ready to send") and the receiver is ready to receive. Transition "send" is enabled, ready to fire, because there is a token in the place "ready to send", the only place connected to the transition as the input place. After the transition fires the token disappears from the place "ready to send" and a token appears in the places "in buffer" and "sent". After that the transitions "receive" and "lose" are enabled.

MIDDLE

A Petri Net Formalism

A Petri Net can be formally defined as a 6-tuple:

MIDDLE

In addition to the places, transitions and arcs we have an initial marking, place capacities and arc weights.

K(p) denotes the capacity of the place. It sets the upper limit to the number of tokens that a place can hold. Alternatively the capacity can be unlimited, i.e. infinite. More formally K can be defined as a function:

MIDDLE

W denotes the weight of an arc. The weight tells the number of tokens that the firing of a transition either removes from or adds to the places that are connected to the transition. It can be defined as a function:

MIDDLE

Petri Nets with finite capacity, that is, in nets where for all places p TOP have a restriction in the transition rule: a transition is enabled only if the number of tokens in each of the output places would not exceed its capacity after firing the transition. This is called the strict transition rule. Petri Nets with infinite capacity of places don't have this restriction and they obey the so called weak transition rule.

2.1 Predicate/Transition Nets (Pr/T Nets)

A Pr/T Net is a more powerful formalism developed from ordinary Petri Nets by Genrich and Lautenbach. Informally, the Pr/T Nets add individuals, their changing properties and relations to the ordinary Petri Nets. In other words, tokens have an identity and arcs are labeled with variables, and the transitions may be annotated with a formula. The formula limits the conditions when the transition can fire.

MIDDLE

The transition is drawn as a box so that the logical formula fits inside it.

A Pr/T Net Formalism

More formally, a Pr/T Net consists of a 8 tuple:

MIDDLE

The most common property of a Petri Net or Pr/T Net that is used in studying the dynamics of the modelled system is reachability. Marking Mj is reachable from marking Mi if there exists a series of transition firings that end in the marking Mj.

Another important concept that can be studied is liveness. There are different levels of livenesses defined, but basically liveness for the marking M0 means that in all reachable markings it is possible to fire any transition in the net after some firing sequence. In other words, the precense or absence of deadlocks can be studied.

The graphical representation of the formalism gives a clear visual means for simulating the dynamics of the system, step by step or continuously.

3. Process algebras, LOTOS

A process algebra is a model based on modelling processes and events. The algebra provides operations for combining events and processes. The names of the events in the process algebra are called actions. A process is specified by defining its behaviour as a sequence of possible events. Examples of process algebraic formalisms are LOTOS, CCS and CSP.

LOTOS (Language Of Temporal Ordering Specification) was developed in the 80's and it became a ISO standard in 1989 [4, 5]. It describes a system by defining all the possible event orderings that an external observer may detect. A LOTOS description consists of two parts, the first part describes the process behaviours and their interactions, and the second part describes the data stuctures and value expressions. Data type description is based on a language called ACT ONE.

MIDDLE

This is an example of a system that has four events: send_request, ok, error and deliver. Send_request and deliver events include data in the event. The system is a box with a number of action points (gates in LOTOS) that can be seen from its environment. The alphabet of the system is the set of possible actions of a system.

MIDDLE

This is a more detailed model of our previous example. The inside of the box consists of processes and connections between them. Communication between processes is synchronous; an event is possible if and only if all processes that are intrested in it are ready to perform it, and they all perform it simultaneously. Asychronous communication can be modelled placing queues between processes. The queue is specified as a process. A process has a similar structure as the whole system itself.

Labeled TransitionSystem

A Labeled Transition System (LTS) of a process P describes the behaviour of the process.

MIDDLE

LTS is not directly a LOTOS concept. Data in a LTS can be included as typed variables and the values of the variables can be tested.

Some basic LOTOS syntax describing the testing, input, output and synchonization and some examples:

MIDDLE

Hiding

Hiding is used to hide internal communication of subsystems. At the global behaviour level internal communication has the same effect as an internal event. An internal event itself is not visible but an external observer is able to notice its effects. An example with LOTOS syntax where the internal event is denoted as i. In the example the external observer sometimes notices action A, sometimes the system deadlocks.

MIDDLE

Alternating Bit Protocol Example

The state of waiting for acknowledgement in the alternating bit protocol could be described as a LOTOS process as:

MIDDLE

Trace

A trace is a queue that consists of all visible events starting from the initial state. This concept is a similar to a firing sequence in Petri Nets. For example, traces can be used to find deadlocks. A divergence trace tells if process can go to the state where it starts to execute hidden events infinitely. Verifying process algegraic models is based on various classes of equivalence. For example, a LOTOS specification is first transformed to a LTS, and then the equivalence of that LTS and a requirement LTS is analyzed.

4. Modal logic

Propositional modal logic

 A propositional formula is a formula consisting of primitive propositions (represented by propositional letters) and propositional connectives (or, and, not, implication)

MIDDLE

The primitive propositions themself are also propositional formulas. Examples of primitive propositions are the following: 

A: "It is raining"
B: "The window is open"
Now a sentence "It is raining and the window is not open" can be formulated as a proposotional formula as:

MIDDLE

A propositional modal formula is a propositional formula added with a modal operator, expressed here with the letter K [6, 7]. A modal operator often expresses a temporal or epistemic "mode" of its operand. Some examples of modal operators are "knows", "next", "believes" and "until". In a multimodal logic there can be more than one modal operator. For example, we can fomulate "Bob knows that it is raining" as

MIDDLE

and "Alice knows that Bob knows that it is raining and the window is open" as

MIDDLE

Multiple Worlds Semantic

One approach to describe the semantics of a modal propositional logic is in terms of possible worlds. The idea of the possible worlds model is that when an agent (a single observer) does not have all the information, when he does not know the value of some propositions or statements, he considers all possible values as if there were parallel worlds, one for each value.

An example of a semantics of possible worlds, a simple card game.

We have two players (1 and 2) and three cards (A, B and C). Each player takes one card and the third card is left face down on the table. A possible world is described in our model by the cards that the players hold. If player 1 holds A and player 2 holds B we denote the world as (A, B). So there are six possible worlds in our model (A, B), (A, C), (B, A), (B, C), (C, A) and (C, B). Now if the player 1 has card C then he clearly thinks that there are two possible worlds, in other one the player 2 holds A and in the other one player 2 holds B. As a picture the whole model is:

MIDDLE

Arcs connecting the worlds show which player thinks that both worlds connected with the arc are possible. There should be also a self loop at each world denoting that the player considers the actual world possible, but they are left out to make the picture more clear. The situation where the player 1 has card C is outlined in the following picture:

MIDDLE

Formal semantics

Possible worlds semantic can be formulated with structures called Kripcke structures. A Kripke structure M for n modal operators and primitive propositions F is a tuple:

MIDDLE

In addition to the basic knowledge operator K, when modelling knowledge, there are two important modal operators. Those are E, everyone knows and C, common knowledge. If "a" is a formula, then veryone knows "a" simply means that everyone knows "a". Common knowledge means that everyone knows "a" and everyone knows that everyone knows "a" and so on. If G is the group of agents, we can formalize:

MIDDLE

4.1 Other modal logics

Modal logics are in no way restricted to a particular logic. If we take, for example, first order logic we can create a first order modal logic by adding one or more modal operators. For example, let's consider a first order formula "Every house has a door". It can be formalized as:

MIDDLE

Now we can formalize the sentence "Bob knows that every house has a door" is:

MIDDLE

The same possible worlds semantic works well also for this kind of logic.

5. Temporal logic

Temporal logic is a form of modal logic where the modal operators deal with the concept of time [6, 8]. Common temporal operators are the following:

MIDDLE

Alternating bit protocol example

In the alternating bit protocol, the sender sends one bit of information to the receiver. So a sentence describing the knowledge of the receiver "the receiver eventually knows the sender's initial bit" can be formulated with our temporal logic as:

MIDDLE

6. Conclusions

Formal description techiques, or formal methods, give us tools to analyze protocol models and other systems of interest.

Petri Nets and process algebras concentrate more on modelling the state of the protocol; modal and temporal logic are used more on modelling the knowledge of communication parties.

References

[1]
H.J. Genrich, K. Lautenbach. System Modelling with High-level Petri Nets. Theoretical Computer Science, Vol. 13 (1981), pp. 109-136. North-Holland Publishing Company.
[2]
H. J. Genrich. Predicate/Transition Nets. Lecture Notes in Computer Science, 254. pp. 207-247. Springer-Verlag, 1987.
[3]
T. Murata. Handbook of software engineering. Chapter 3, Modeling and analysis of concurrent systems, pp. 39-63.
[4]
T. Bolognesi, E. Brinksma. Introduction to the ISO Specification Language LOTOS. Computer Networks and ISDN Systems 14 (1987). 25-59.
[5]
Salona, Vives, Gomez. An Introduction to LOTOS. Universidada Politecnica de Madrid.
[6]
R. Fagin, J. Halpern, Y. Moses, M. Vardi. Reasoning about Knowledge. Chapters 2,3 and 4. 1995. The MIT Press.
[7]
M. Fitting. Basic Modal Logic. Handbook of Logic in Artificial Intelligence and Logic Programming, Volume 1, Logical Foundations, 1993. pp. 365-448.
[8]
A. Punueli. Applications of temporal Logic to the specification and verification of reactive systems: a survey of current trends. Lecture Notes in Computer Science, 224. pp. 510-584. Springer-Verlag, 1986.

Related links
[9]
University of Aarhus, Computer Science Department. Petri Nets
[10]
CRIM Software engineering (SE). Petri Net tools list.
[11]
University of Twente, Netherlands. LOTOS pages
[12]
ftp.dit.upm.es ftp server. LOTOS Industrial cases.
[13]
LOTOS standard IS 8807, by ISO