Verification of Clock Synchronization Algorithms: Experiments on a Combination of Deductive Tools (original) (raw)
Related papers
A Modular Proof of Correctness for a Network Synchronizer (Research Summary)
International Workshop on Distributed Algorithms, 1987
In this paper we offer a formal, rigorous proof of the correctness of Awerbuch's algorithm for network synchronization. We specify both the algorithm and the correctness condition using the I/O automaton model, which has previously been used to describe and verify algorithms for concurrency control and resource allocation. We show that the model is also a powerful tool for reasoning about distributed graph algorithms. Our proof of correctness follows closely the intuitive arguments made by the designer of the algorithm by exploiting the model's natural support for such important design techniques as stepwise refinement and modularity. In particular, since the algorithm uses simpler algorithms for synchronization within and between 'clusters' of nodes, our proof can import as lemmas the correctness of these simpler algorithms. 1 Overview 1.1 Verification methods and models As computer science has matured as a discipline, its activity has broadened from writing programs to include reasoning about those programs: proving their correctness and efficiency, and proving bounds on the performance of any program that accomplishes the same task. Recently distributed computing has begun to broaden in this way (albeit a decade or two later than the part of computer science concerned with sequential, uniproeessor algorithms). There are several reasons why particular care is necessary to prove the correctness of algorithms when the algorithms
Using integer clocks to verify clock-synchronization protocols
Innovations in Systems and Software Engineering, 2011
We use the Uppaal model checker for Timed Automata to verify the Timing-Sync time-synchronization protocol for sensor networks (TPSN), the clocksynchronization algorithm of Lenzen, Locher and Wattenhofer for general distributed systems (LLW), and the clock-thread technique of the Software Monitoring with Controllable Overhead algorithm (SMCO). Clocksynchronization algorithms such as TPSN, LLW, and SMCO must be able to perform arithmetic on clock values in order to calculate clock drift and network propagation delays. They must also be able to read the value of a local clock and assign it to another local clock. Such operations are not directly supported by the theory of Timed Automata.
Authenticated Agreement Protocols without Explicit Clock Synchronisation
Proceedings of the …, 1995
Replicated processing requires that replicas reach agreement on the order in which messages are to be processed. Synchronous and deterministic agreement protocols published in the literature require replicas to maintain an abstraction of clocks that are kept in bounded synchronism. We present a protocol that does not have this requirement and relies only on physical, hardware clocks with bounded drifting rates. Its performance is shown to be as good as the performance of protocols that do require synchronised clocks. A variation of the protocol is then derived for more practical, Triple Modular Redundant (TMR) systems, and is shown to have better performance than existing protocols. These protocols are well suited to perform process replication.
Approximate Synchrony : An Abstraction for Distributed Time-Synchronized Systems
2014
Time synchronization plays a central role in the design of reliable distributed embedded systems. However, the clocks of nodes that are time-synchronized are only guaranteed to be equal within a certain tolerance. Thus, when modeling and verifying distributed protocols that involve or rely upon time synchronization, abstractions are needed that accurately capture the notion of systems being “almost synchronized.” In this paper, we present the concept of approximate synchrony, a modeling and verification abstraction for time-synchronized systems. Approximate synchrony is a sound and tunable abstraction. We have implemented approximate synchrony as a part of a model checker and used it to verify the Best Master Clock (BMC) algorithm, the core component of IEEE 1588 precision time protocol and the time-synchronized channel hopping protocol that is part of the IEEE 802.15.4e standard.
Sustaining Property Verification of Synchronous Dependable Protocols Over Implementation
2007
It is often considered that a protocol that has been verified for its dependability properties at the protocol level maintains these proven properties over its implementation. Focussing on synchronous protocols, we demonstrate that this assumption can easily be fallacious using the example of an existing formally verified diagnostic protocol as implemented onto the targeted time-triggered architecture (TTA). The cause is identified as the overlap mismatch across the computation and communication phases in TTA, which does not match the system assumptions of the protocol. To address this mismatch problem, we develop the concept of a generic alignment (co-ordination) layer to implement the desired communication assumptions. The strength of this approach is that the verification of this alignment layer ensures that the formally proved properties of a protocol also hold over their implementation.
Clock synchronization with faults and recoveries (extended abstract)
Proceedings of the nineteenth annual ACM symposium on Principles of distributed computing - PODC '00, 2000
We present a convergence-function based clock synchronization algorithm, which is simple, e cient and fault-tolerant. The algorithm is tolerant of failures and allows recoveries, as long as less than a third of the processors are faulty`at the same time'. Arbitrary (Byzantine) faults are tolerated, without requiring awareness of failure or recovery. In contrast, previous clock synchronization algorithms limited the total number of faults throughout the execution, which is not realistic, or assumed fault detection.
Applying a Theorem Prover to the Verification of Optimistic Replication Algorithms
2007
The Operational Transformation (OT) approach is a technique for supporting optimistic replication in collaborative and mobile systems. It allows the users to concurrently update the shared data and exchange their updates in any order since the convergence of all replicas, i.e. the fact that all users view the same data, is ensured in all cases. However, designing algorithms for achieving convergence with the OT approach is a critical and challenging issue. In this paper, we address this issue for the important case where the shared data has a linear structure such as lists, texts, ordered XML trees, etc. We analyze the problem and we propose a generic solution with its formal analysis. We also show in this work how to support the formal design of an OT algorithm with a rewrite-based theorem prover. This theorem prover enables us to envisage the large number of cases required for the correctness proof of the algorithm. Since the manual proofs of all previously published algorithms were wrong, this shows the decisive advantage of using an automatic prover in this context.
Inductive Theorem Prover Based Veri…cation of Concurrent Algorithms
2000
This paper describes a contribution to the area of mechanically theorem proving focusing especially on the automation of the invariance proof. In this respect, we present an initial version of a tool for automatically checking the invariance property of concurrent algorithms. Input to the tool consists of the soundness prop- erties, expressed in TLA (Temporal Logic of Actions) that is
Distributed Runtime Verification Under Partial Synchrony
2021
In this paper, we study the problem of runtime verification of distributed applications that do not share a global clock with respect to specifications in the linear temporal logics (LTL). Our proposed method distinguishes from the existing work in three novel ways. First, we make a practical assumption that the distributed system under scrutiny is augmented with a clock synchronization algorithm that guarantees bounded clock skew among all processes. Second, we do not make any assumption about the structure of predicates that form LTL formulas. This relaxation allows us to monitor a wide range of applications that was not possible before. Subsequently, we propose a distributed monitoring algorithm by employing SMT solving techniques. Third, given the fact that distributed applications nowadays run on massive cloud services, we extend our solution to a parallel monitoring algorithm to utilize the available computing infrastructure. We report on rigorous synthetic as well as real-wor...
A method for the verification of a distributed and synchronized algorithm
International Journal of Production Research, 2004
In the model checking context, the method used to detect stable properties is to construct the synchronized product of the input automata. The problem of such a method is the well known state space explosion. We present a new algorithm that allows to restrict this explosion, by constructing only the states necessary to check the stable properties. The basic idea is to forget the states non relevant to the verification. This is done by agregating the concurent transitions.