Masaaki Mizuno - Academia.edu (original) (raw)

Papers by Masaaki Mizuno

Formal Aspects of Computing, 1992

We derive a security flow control algorithm for message-based, modular systems and prove the algo... more We derive a security flow control algorithm for message-based, modular systems and prove the algorithm correct. The development is noteworthy because it is completely rigorous: the flow control algorithm is derived as an abstract interpretation of the denotational semantics of the programming language for the modular system, and the correctness proof is a proof by logical relations of the congruence between the denotational semantics and its abstract interpretation. Effectiveness is also addressed: we give conditions under which an abstract interpretation can be computed as a traditional iterative data flow analysis, and we prove that our security flow control algorithm satisfies the conditions. We also show that symbolic expressions (that is, data flow values that contain unknowns) can be used in a convergent, iterative analysis. An important consequence of the latter result is that the security flow control algorithm can analyse individual modules in a system for well formedness a...

2002 Annual Conference Proceedings

In recent years, the importance of concurrent programming has increased. However, many programmer... more In recent years, the importance of concurrent programming has increased. However, many programmers are not appropriately trained to write correct and efficient concurrent programs. The techniques that most Operating Systems (OS) textbooks teach are ad-hoc, and such ad-hoc techniques are far too error-prone for solving complex synchronization problems. The global invariant approach developed by G. Andrews is much more formal and structured, and we have been teaching this approach since 1992 at Kansas State University. One possible drawback of the invariant approach is the difficulty to identify an appropriate invariant for a given synchronization requirement. To cope with this problem, we have developed a set of useful synchronization patterns and their solution invariants. Using the patterns, we can solve a wide-variety of synchronization problems found in many advanced OS textbooks. In Fall 2001, we successfully taught our pattern-based approach in our graduate-level OS course. In this paper, we will present our methodology and report qualitative and quantitative evaluation of the methodology by students in the classroom setting.

[1992] Proceedings of the 12th International Conference on Distributed Computing Systems

[1992] Proceedings of the 12th International Conference on Distributed Computing Systems

[1991] Proceedings. 11th International Conference on Distributed Computing Systems

4.1.1 Access matrix model 4.1.2 Information flow model 4.1.3 Restrictions of the access matrix mo... more 4.1.1 Access matrix model 4.1.2 Information flow model 4.1.3 Restrictions of the access matrix model 4.1.4 Problems of applying existing information flow models to the RM system 4.2 Overview of the Information Flow Control Mechanism 83 iv 4.2.1 Introduction 83 4.2.2 Handling implicit flows 94 4.2.3 Some remarks on probes and dynamically bound state variables 4.3 The Compile-Time Algorithm 4.3.1 Reduction rules 4.3.2 Generation of information flow templates 4.4 The Run-Time Algorithm 4.5 Program Examples 130 4.5.1 A program with no dynamically bound state variables 130 4.5.2 A program with dynamically bound state variables 144 5 LINK-TIME INFORMATION FLOW CERTIFICATION 155 5.1 The Link-Time Mechanism 157 5.2 Termination and Correctness of the Link-Time Algorithm 173 5.3 The Modified Link-Time Mechanism 176 5.4 The Link-time/Run-time Algorithm Allowing Dynamically Bound State Variables 194 5.5 Comparisons of the Information Flow Mechanisms 205 6 CONCLUSION 212

Lecture Notes in Computer Science, 2000

Abstract. This paper presents a methodology to develop synchroniza-tion code based on the global ... more Abstract. This paper presents a methodology to develop synchroniza-tion code based on the global invariant (GI) approach in the context of the Unified Process in UML. This approach has the following advantages: (1) it is a formal approach that enables formal verification of ...

Pdpta, 2006

Scalability in a peer-to-peer network is a challenging problem. Unstructured peer-to-peer network... more Scalability in a peer-to-peer network is a challenging problem. Unstructured peer-to-peer networks inherently lack scalability, and structured networks are inefficient for a high churn rate. In this paper, we present a scalable search algorithm for a decentralized unstructured peer-to-peer network using a method to dynamically determine the number of nodes to forward a query to at once. The decision is based on the degree to which each neighbor has contributed to previous successful searches. The algorithm automatically creates a spanning graph of the high traffic links. Once a stable spanning graph is created, a query tends to travel along the edges of the spanning graph. This way, the number of hops required for a search is roughly bound by the diameter of the spanning graph. The simulation shows that our algorithm demonstrates significantly better performance in terms of the number of messages generated and hops required for a search over other popular algorithms.

Lecture Notes in Computer Science, 2004

This paper describes SyncGen-a tool for automatically synthesizing complex synchronization implem... more This paper describes SyncGen-a tool for automatically synthesizing complex synchronization implementations from formal high-level specifications. In SyncGen, synchronization specifications are phrased using first-order logic or user-friendly specification patterns. From a high-level specification, a language independent synchronization solution in an intermediate guarded-command language is synthesized. Back-end translators can translate this intermediate solution into a variety of implementation frameworks including Java, C++/C with POSIX threads, and Controller Area Network message passing primitives. SyncGen has been used extensively in courses at Kansas State University. Its breadth of applicability has been demonstrated by using it to solve virtually all of the exercises given in the well-known concurrency text books of Andrews[1,2] and Hartley[4], as well as a variety of real-world problems in the embedded computing domain. The tool, along with supporting documentation and an example repository, is publicly available [6].

Proceedings of the 24th international conference on Software engineering - ICSE '02, 2002

Concurrency is used in modern software systems as a means of addressing performance, availability... more Concurrency is used in modern software systems as a means of addressing performance, availability, and reliability requirements. The collaboration of multiple independently executing components is fundamental to meeting such requirements and such collaboration is realized by synchronizing component execution. Using current technologies developers are faced with a tension between correct synchronization and performance. Developers can be confident when simple forms of synchronization are used, for example, locking all accesses to shared data. Unfortunately, such simple approaches can result in significant run-time overhead, and, in fact, there are many cases in which such simple approaches cannot implement required synchronization policies. Implementing more sophisticated (and less constraining) synchronization policies may improve run-time performance and satisfy synchronization requirements, but fundamental difficulties in reasoning about concurrency make it difficult to assess their correctness. This paper describes an approach to automatically synthesizing complex synchronization implementations from formal highlevel specifications. Moreover, the generated coded is designed to be processed easily by software model-checking tools such as Bandera. This enables the generated synchronization solutions to be verified for important system correctness properties. We believe this is an effective approach because the tool-support provided makes it simple to use, it has a solid semantic foundation, it is language independent, and we have demonstrated that it is powerful enough to solve numerous challenging synchronization problems.

Lecture Notes in Computer Science, 1995

Controller area networks (CAN) are widely used in the development of embedded real-time systems. ... more Controller area networks (CAN) are widely used in the development of embedded real-time systems. As embedded systems are becoming more complex, the development of dependable software for such systems has become a challenging problem. In this paper, we propose a technique to develop dependable synchronization code for CAN-based embedded systems. Our approach is to factor out synchronization as a separate aspect, synthesize synchronization code and then compose it with the functional code. Specifically, we allow the designer of a CAN-based application to first design core functional code. The designer can then annotate the functional code with control points and specify high-level "global invariants " specifying the synchronization policies. Our methodology generates synchronization code based on message passing in a CAN system and then automatically integrates the synchronization code into the functional code at appropriate control points. We propose and evaluate two soluti...

IEEE Distributed Systems Online, 2002

Lecture Notes in Computer Science, 1997

We illustrate in this paper a compositional and stepwise method for designing programs that o er ... more We illustrate in this paper a compositional and stepwise method for designing programs that o er a potentially unique tolerance to each of their fault-classes. More speci cally, our illustration is a design of a repetitive agreement program that o ers two tolerances: (a) it masks the e ects of Byzantine failures and (b) it is stabilizing in the presence of transient and Byzantine failures.

[1991 Proceedings] Tenth Annual International Phoenix Conference on Computers and Communications

ABSTRACT

A collection of quorums is called a coterie. The authors present an algorithm to construct coteri... more A collection of quorums is called a coterie. The authors present an algorithm to construct coteries by composing existing coteries. The resulting coteries are called composite coteries. Several different measures may be used to analyze coteries. One of the most commonly used measures is availability. In general, it is difficult to directly compute the availability of coteries in a large system. An efficient method is described to compute the availability of composite coteries, even in a large system

Journal of Systems and Software, 1993

ABSTRACT

Formal Aspects of Computing, 1992

We derive a security flow control algorithm for message-based, modular systems and prove the algo... more We derive a security flow control algorithm for message-based, modular systems and prove the algorithm correct. The development is noteworthy because it is completely rigorous: the flow control algorithm is derived as an abstract interpretation of the denotational semantics of the programming language for the modular system, and the correctness proof is a proof by logical relations of the congruence between the denotational semantics and its abstract interpretation. Effectiveness is also addressed: we give conditions under which an abstract interpretation can be computed as a traditional iterative data flow analysis, and we prove that our security flow control algorithm satisfies the conditions. We also show that symbolic expressions (that is, data flow values that contain unknowns) can be used in a convergent, iterative analysis. An important consequence of the latter result is that the security flow control algorithm can analyse individual modules in a system for well formedness a...

2002 Annual Conference Proceedings

In recent years, the importance of concurrent programming has increased. However, many programmer... more In recent years, the importance of concurrent programming has increased. However, many programmers are not appropriately trained to write correct and efficient concurrent programs. The techniques that most Operating Systems (OS) textbooks teach are ad-hoc, and such ad-hoc techniques are far too error-prone for solving complex synchronization problems. The global invariant approach developed by G. Andrews is much more formal and structured, and we have been teaching this approach since 1992 at Kansas State University. One possible drawback of the invariant approach is the difficulty to identify an appropriate invariant for a given synchronization requirement. To cope with this problem, we have developed a set of useful synchronization patterns and their solution invariants. Using the patterns, we can solve a wide-variety of synchronization problems found in many advanced OS textbooks. In Fall 2001, we successfully taught our pattern-based approach in our graduate-level OS course. In this paper, we will present our methodology and report qualitative and quantitative evaluation of the methodology by students in the classroom setting.

[1992] Proceedings of the 12th International Conference on Distributed Computing Systems

[1992] Proceedings of the 12th International Conference on Distributed Computing Systems

[1991] Proceedings. 11th International Conference on Distributed Computing Systems

4.1.1 Access matrix model 4.1.2 Information flow model 4.1.3 Restrictions of the access matrix mo... more 4.1.1 Access matrix model 4.1.2 Information flow model 4.1.3 Restrictions of the access matrix model 4.1.4 Problems of applying existing information flow models to the RM system 4.2 Overview of the Information Flow Control Mechanism 83 iv 4.2.1 Introduction 83 4.2.2 Handling implicit flows 94 4.2.3 Some remarks on probes and dynamically bound state variables 4.3 The Compile-Time Algorithm 4.3.1 Reduction rules 4.3.2 Generation of information flow templates 4.4 The Run-Time Algorithm 4.5 Program Examples 130 4.5.1 A program with no dynamically bound state variables 130 4.5.2 A program with dynamically bound state variables 144 5 LINK-TIME INFORMATION FLOW CERTIFICATION 155 5.1 The Link-Time Mechanism 157 5.2 Termination and Correctness of the Link-Time Algorithm 173 5.3 The Modified Link-Time Mechanism 176 5.4 The Link-time/Run-time Algorithm Allowing Dynamically Bound State Variables 194 5.5 Comparisons of the Information Flow Mechanisms 205 6 CONCLUSION 212

Lecture Notes in Computer Science, 2000

Abstract. This paper presents a methodology to develop synchroniza-tion code based on the global ... more Abstract. This paper presents a methodology to develop synchroniza-tion code based on the global invariant (GI) approach in the context of the Unified Process in UML. This approach has the following advantages: (1) it is a formal approach that enables formal verification of ...

Pdpta, 2006

Scalability in a peer-to-peer network is a challenging problem. Unstructured peer-to-peer network... more Scalability in a peer-to-peer network is a challenging problem. Unstructured peer-to-peer networks inherently lack scalability, and structured networks are inefficient for a high churn rate. In this paper, we present a scalable search algorithm for a decentralized unstructured peer-to-peer network using a method to dynamically determine the number of nodes to forward a query to at once. The decision is based on the degree to which each neighbor has contributed to previous successful searches. The algorithm automatically creates a spanning graph of the high traffic links. Once a stable spanning graph is created, a query tends to travel along the edges of the spanning graph. This way, the number of hops required for a search is roughly bound by the diameter of the spanning graph. The simulation shows that our algorithm demonstrates significantly better performance in terms of the number of messages generated and hops required for a search over other popular algorithms.

Lecture Notes in Computer Science, 2004

This paper describes SyncGen-a tool for automatically synthesizing complex synchronization implem... more This paper describes SyncGen-a tool for automatically synthesizing complex synchronization implementations from formal high-level specifications. In SyncGen, synchronization specifications are phrased using first-order logic or user-friendly specification patterns. From a high-level specification, a language independent synchronization solution in an intermediate guarded-command language is synthesized. Back-end translators can translate this intermediate solution into a variety of implementation frameworks including Java, C++/C with POSIX threads, and Controller Area Network message passing primitives. SyncGen has been used extensively in courses at Kansas State University. Its breadth of applicability has been demonstrated by using it to solve virtually all of the exercises given in the well-known concurrency text books of Andrews[1,2] and Hartley[4], as well as a variety of real-world problems in the embedded computing domain. The tool, along with supporting documentation and an example repository, is publicly available [6].

Proceedings of the 24th international conference on Software engineering - ICSE '02, 2002

Concurrency is used in modern software systems as a means of addressing performance, availability... more Concurrency is used in modern software systems as a means of addressing performance, availability, and reliability requirements. The collaboration of multiple independently executing components is fundamental to meeting such requirements and such collaboration is realized by synchronizing component execution. Using current technologies developers are faced with a tension between correct synchronization and performance. Developers can be confident when simple forms of synchronization are used, for example, locking all accesses to shared data. Unfortunately, such simple approaches can result in significant run-time overhead, and, in fact, there are many cases in which such simple approaches cannot implement required synchronization policies. Implementing more sophisticated (and less constraining) synchronization policies may improve run-time performance and satisfy synchronization requirements, but fundamental difficulties in reasoning about concurrency make it difficult to assess their correctness. This paper describes an approach to automatically synthesizing complex synchronization implementations from formal highlevel specifications. Moreover, the generated coded is designed to be processed easily by software model-checking tools such as Bandera. This enables the generated synchronization solutions to be verified for important system correctness properties. We believe this is an effective approach because the tool-support provided makes it simple to use, it has a solid semantic foundation, it is language independent, and we have demonstrated that it is powerful enough to solve numerous challenging synchronization problems.

Lecture Notes in Computer Science, 1995

Controller area networks (CAN) are widely used in the development of embedded real-time systems. ... more Controller area networks (CAN) are widely used in the development of embedded real-time systems. As embedded systems are becoming more complex, the development of dependable software for such systems has become a challenging problem. In this paper, we propose a technique to develop dependable synchronization code for CAN-based embedded systems. Our approach is to factor out synchronization as a separate aspect, synthesize synchronization code and then compose it with the functional code. Specifically, we allow the designer of a CAN-based application to first design core functional code. The designer can then annotate the functional code with control points and specify high-level "global invariants " specifying the synchronization policies. Our methodology generates synchronization code based on message passing in a CAN system and then automatically integrates the synchronization code into the functional code at appropriate control points. We propose and evaluate two soluti...

IEEE Distributed Systems Online, 2002

Lecture Notes in Computer Science, 1997

We illustrate in this paper a compositional and stepwise method for designing programs that o er ... more We illustrate in this paper a compositional and stepwise method for designing programs that o er a potentially unique tolerance to each of their fault-classes. More speci cally, our illustration is a design of a repetitive agreement program that o ers two tolerances: (a) it masks the e ects of Byzantine failures and (b) it is stabilizing in the presence of transient and Byzantine failures.

[1991 Proceedings] Tenth Annual International Phoenix Conference on Computers and Communications

ABSTRACT

A collection of quorums is called a coterie. The authors present an algorithm to construct coteri... more A collection of quorums is called a coterie. The authors present an algorithm to construct coteries by composing existing coteries. The resulting coteries are called composite coteries. Several different measures may be used to analyze coteries. One of the most commonly used measures is availability. In general, it is difficult to directly compute the availability of coteries in a large system. An efficient method is described to compute the availability of composite coteries, even in a large system

Journal of Systems and Software, 1993

ABSTRACT