Tora, Verification, Proofs and Model Checking
暂无分享,去创建一个
EXTENDED ABSTRACT Routing protocols for mobile adhoc networks (MANET) are one of the most essential components of such networks; the other being media access control (MAC) protocols. Unfortunately most existing routing protocols for MANETs are so complex that the investigation of their properties, weaknesses and performance cannot be done analytically (at least using conventional analytic methods); instead simulations have become the typical means of analyzing their properties and performance. This is an unfortunate state of affairs for such an important networking component. In this paper we develop a different means for analyzing the properties and performance of routing protocols for MANETs based on methods and techniques from formal specifications [3] and associated formal means for proof and validation. The aim is to develop rigorous proofs and tools for performance checking and analysis. The primary goal of this type of research is to develop a way to automatically check a specification for correctness and liveness properties. A secondary, but equally important role is the development of automatic tools for ameliorating discovered weaknesses and for designing such routing protocols so as to satisfy pre-specified properties and performance. In this paper we use rigorous mathematical proof and model checking to verify the correctness of the Temporally Oriented Routing Algorithm [1] (TORA), which is a MANET routing algorithm (protocol). The main difficulty in applying any automated formal methods is exponential state space explosion. Formal methods have been applied successfully to protocols where the number of states is clearly finite. TORA has an infinite number of states, though there is a structure to the state space that makes it simpler than the general problem. TORA derives from a class of link reversal algorithms referred to as the Gafni-Bertsekas (GB) algorithms [2]. Any algorithm of this class exhibits certain desirable properties, but TORA falls outside this class of algorithms. For example , while all GB algorithms are path independent, TORA is not, meaning the set of final heights is not entirely determined by the initial conditions. Also, unlike the GB algorithms , the number of reversals depends on the ordering of events. While many properties from the GB algorithms are lost, TORA should still always converge in a finite period of time. Establishing this formally is one of the results of this paper. The heights used in TORA are based on time (temporally oriented heights), and therefore they are always globally the greatest heights in the …
[1] Gerard J. Holzmann,et al. The Model Checker SPIN , 1997, IEEE Trans. Software Eng..
[2] Dimitri P. Bertsekas,et al. Distributed Algorithms for Generating Loop-Free Routes in Networks with Frequently Changing Topology , 1981, IEEE Trans. Commun..