Kåre J. Kristoffersen

Verification of an Audio Protocol with Bus Collision Using UPPAAL

In this paper we apply the tool Uppaal1 to an automatic analysis of a version of the Philips Audio Control Protocol with two senders and bus collision handling. This case study is significantly larger than the real-time/hybrid systems previously analysed by automatic tools. During the case study the tool Uppaal was extended with a new feature, committed locations, allowing efficient modelling of broadcast communication.

Verification of Large State/Event Systems Using Compositionality and Dependency Analysis

A state/event model is a concurrent version of Mealy machines used for describing embedded reactive systems. This paper introduces a technique that uses compositionality and dependency analysis to significantly improve the efficiency of symbolic model checking of state/event models. This technique makes possible automated verification of large industrial designs with the use of only modest resources (less than one hour on a standard PC for a model with 1421 concurrent machines). The results of the paper are being implemented in the next version of the commercial tool visualSTATEℳ.

A Compositional Proof of a Real-Time Mutual Exclusion Protocol

In this paper, we apply a compositional proof technique to an automatic verification of the correctness of Fischers mutual exclusion protocol. It is demonstrated that the technique may avoid the stateexplosion problem. Our compositional technique has recently been implemented in a tool CMC 5, which verifies the protocol for 50 processes within 172.3 seconds and using only 32MB main memory. In contrast all existing verification tools for timed systems will suffer from the stateexplosion problem, and no tool has to our knowledge succeeded in verifying the protocol for more than 11 processes.

Runtime Verification of Timed LTL using Disjunctive Normalized Equation Systems

Abstract In this paper we present a new framework for runtime verification of properties of real time systems such as financial systems or backend databases. Such a systems has a semantics which resemples that of timed traces, namely a sequence of states where each state consists of predicates true in this state and then a timestamp explaining when the state is valid. We present a logic, LTL t , which is an extension of LTL with time constraints and a freeze quantifier and show how formulae in this logic are able to express properties of bounded liveness and safety which are ideal for these systems. It is shown how a formula in LTL t may be rewritten to a certain disjunctive normal form suitable for checking a real time system at runtime. The normal form captures the essential part of runtime verification by a set of mutually defined formula identifiers, each expressing two things: What should hold now and which formula identifiers that will need to hold in the next state. As part of the theoretical foundation for this work we propose a characterization of Runtime Verification and address the challenges in developing a method which is both sound and complete while at the same time efficient.

Model-checking real-time control programs: verifying LEGO MINDSTORMS TM systems using UPPAAL

The authors present a method for automatic verification of real time control programs running on LEGO RCX TM bricks using the verification tool UPPAAL. The control programs, consisting of a number of tasks running concurrently, are automatically translated into the timed automata model of UPPAAL. The fixed scheduling algorithm used by the LEGO RCXTM processor is modeled in UPPAAL, and supply of similar (sufficient) timed automata models for the environment allows analysis of the overall real time system using the tools of UPPAAL. To illustrate our techniques, we have constructed, modeled and verified a machine for sorting LEGO bricks by color.

Automated verification of an audio-control protocol using UPPAAL

In this paper we present a case-study in which the tool Uppaal is extended and applied to verify an audio-control protocol developed by Philips. The size of the protocol studied in this paper is significantly larger than case studies, including various abstract versions of the same protocol without bus-collision handling, reported previously in the community of real-time verification. We have checked that the protocol will function correctly if the timing error of its components is bound to ±5%, and incorrectly if the error is ±6%. In addition, using Uppaal’s ability of generating diagnostic traces, we have studied an erroneous version of the protocol actually implemented by Philips, and constructed a possible execution sequence explaining the error. During the case-study, Uppaal was extended with the notion of committed locations. It allows for accurate modelling of atomic behaviours, and more importantly, it is utilised to guide the state-space exploration of the model checker to avoid exploring unnecessary interleavings of independent transitions. Our experimental results demonstrate considerable time and space-savings of the modified model checking algorithm. In fact, due to the huge time and memory-requirement, it was impossible to check a simple reachability property of the protocol before the introduction of committed locations, and now it takes only seconds.

Practical verification of embedded software

Using a new verification algorithm called the compositional backward technique, the authors demonstrate that they can exhaustively verify even the largest industrial applications-comprising more than 1,000 components-in a few minutes on a standard PC.

Automatic Synthesis of Real Time Systems

This paper presents a method for automatically constructing real time systems directly from their specifications. The model–construction problem is considered for implicit specifications of the form: (A1 | . . . |An |X) sat S where S is a real time (logical) specification, A1 . . . An are given (regular) timed agents and the problem is to decide whether there exists (and if possible exhibit) a real time agent X which when put in parallel with A1 . . . An will yield a network satisfying S. The method presented proceeds in two steps: first, the implicit specification of X is transformed into an equivalent direct specification of X; second, a model for this direct specification is constructed (if possible) using a direct model construction algorithm. A prototype implementation of our method has been added to the real time verification tool EPSILON.

Multimodal wireless networks: distributed surveillance with multiple nodes

Multimodal wireless networks are wireless networks that offer multiple functionalities realized on the same infrastructure. In this paper, we consider a multimodal network that has two modes of operation: the communication mode, when the network is used as a traditional wireless communication network, and the surveillance mode, when the network is used as a distributed sensor network that can detect illegal intrusion by detecting changes in the propagation environment caused by the intruder. We address the problem of distributed surveillance in a network consisting of multiple nodes: we develop a multi-sensor model for the received signal parameters of interest and derive a detector capable of detecting changes in these parameters. The experimental results demonstrate that combining the information from different nodes with the appropriate fusion function results in considerably improved detection performance compared to that of single-node detectors.

Indoor surveillance with multimodal wireless networks

In this paper, we propose a new family of wireless networks, the multimodal wireless networks. These networks offer multiple functionalities realized on the same infrastructure. We describe a wireless network that has two modes of operation: the communication mode, when the network is used as a traditional wireless communication network and the surveillance mode, when the network is used as a distributed sensor network that can detect illegal intrusion. The surveillance functionality is realized by analyzing the properties of the received signals and the change of the propagation environment caused by the intruder serves as the basis for intrusion detection. We also develop a general single-receiver model for detecting changes in a signal parameter of interest and derive a parameter change detector. The experimental results demonstrate that low-cost, off-the-shelf IEEE 802.11b WLAN hardware can be used as building blocks for multimodal networks.